Skip to main content

Assessment Results Model v1.0.0-rc2 XML Format Reference

The following is the XML format reference for this model, which is organized hierarchically. Each entry represents the corresponding XML element or attribute in the model's XML format, and provides details about the semantics and use of the element or attribute. The XML Format Outline provides a streamlined, hierarchical representation of this model's XML format which can be used along with this reference to better understand the XML representation of this model.

OSCAL model OSCAL Assessment Results Model

Schema version: 1.0.0-rc2

XML namespace http://csrc.nist.gov/ns/oscal/1.0

XML Schema oscal_assessment-results_schema.xsd

JSON to XML converter oscal_assessment-results_json-to-xml-converter.xsl (How do I use the converter to convert OSCAL JSON to XML?)

The OSCAL assessment results format is used to describe the information typically provided by an assessor following an assessment.The root of the OSCAL assessment results format is assessment-results.

assessment-results

element
(global definition)

Security Assessment Results (SAR)

Description Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.

Attribute (1)

uuid

uuid

[1]

Assessment Results Universally Unique Identifier

Description Uniquely identifies this assessment results file. This UUID must be changed each time the content of the results changes.

Elements (5)

metadata

element
(global definition)

[1]

Publication metadata

Description Provides information about the publication and availability of the containing document.

Constraints (11)

index for role an index index-metadata-role-ids shall list values returned by targets role using keys constructed of key field(s) @id

is unique for document-id: any target value must be unique (i.e., occur only once)

is unique for prop: any target value must be unique (i.e., occur only once)

index for .//prop an index index-metadata-property-id shall list values returned by targets .//prop using keys constructed of key field(s) @id

is unique for link: any target value must be unique (i.e., occur only once)

index for role an index index-metadata-role-id shall list values returned by targets role using keys constructed of key field(s) @id

index for location an index index-metadata-location-uuid shall list values returned by targets location using keys constructed of key field(s) @uuid

index for party an index index-metadata-party-uuid shall list values returned by targets party using keys constructed of key field(s) @uuid

index for party[@type='organization'] an index index-metadata-party-organizations-uuid shall list values returned by targets party[@type='organization'] using keys constructed of key field(s) @uuid

allowed values for responsible-party/@role-id

The value may be locally defined, or one of the following:

  • prepared-by: Indicates the organization that created this content.
  • prepared-for: Indicates the organization for which this content was created.
  • content-approver: Indicates the organization responsible for all content represented in the "document".

allowed values for link/@rel

The value may be locally defined, or one of the following:

  • canonical: The link identifies the authoritative location for this file.
  • alternate: The link identifies an alternative location or format for this file.
  • latest-version: This link identifies a resource containing the latest version in the version history. Defined by RFC 5829.
  • predecessor-version: This link identifies a resource containing the predecessor version in the version history. RFC 5829.
  • successor-version: This link identifies a resource containing the predecessor version in the version history. RFC 5829.
Elements (14)

title

markup-line

[1]

Document Title

Description A name given to the document, which may be used by a tool for display and navigation.

published

dateTime-with-timezone

[0 or 1]

Publication Timestamp

Description The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included.

Remarks

This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the published value should indicate when the OSCAL document was published, not the source material. Where necessary, the publication date of the original source material can be captured as a named property or custom metadata construct.

A publisher of OSCAL content can use this data point along with its siblings last-modified and version to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.

last-modified

dateTime-with-timezone

[1]

Last Modified Timestamp

Description The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included.

Remarks

This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified value should indicate the modification time of the OSCAL document, not the source material.

A publisher of OSCAL content can use this data point along with its siblings published and version to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.

version

string

[1]

Document Version

Description A string used to distinguish the current version of the document from other previous (and future) versions.

Remarks

A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.

While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.

A publisher of OSCAL content can use this data point along with its siblings published and last-modified to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.

oscal-version

string

[1]

OSCAL version

Description The OSCAL model version the document was authored against.

Remarks

Indicates the version of the OSCAL model to which this data set conforms, for example 1.1.0 or 1.0.0-M1. That can be used as a hint by a tool to indicate which version of the OSCAL XML or JSON schema to use for validation.

revisions

element

[0 or 1]

Element (1)

revision

element

[0 to ∞]

Revision History Entry

Description An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).

Remarks

While published, last-modified, oscal-version, and version are not required, values for these entries should be provided if the information is known. For a revision entry to be considered valid, at least one of the following items must be provided: published, last-modified, version, or a link with a rel of source.

Constraints (2)

has cardinality for published|last-modified|version|link[@rel='source'] the cardinality of published|last-modified|version|link[@rel='source'] is constrained: 1; maximum unbounded.

allowed value for link/@rel

The value may be locally defined, or the following:

  • source: Indicates that the href points to the source resource for the revision entry.
Elements (8)
title

markup-line

[0 or 1]

Document Title

Description A name given to the document revision, which may be used by a tool for display and navigation.

published

dateTime-with-timezone

[0 or 1]

Publication Timestamp

Description The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included.

Remarks

This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the published value should indicate when the OSCAL document was published, not the source material. Where necessary, the publication date of the original source material can be captured as a named property or custom metadata construct.

A publisher of OSCAL content can use this data point along with its siblings last-modified and version to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.

last-modified

dateTime-with-timezone

[0 or 1]

Last Modified Timestamp

Description The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included.

Remarks

This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified value should indicate the modification time of the OSCAL document, not the source material.

A publisher of OSCAL content can use this data point along with its siblings published and version to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.

version

string

[0 or 1]

Document Version

Description A string used to distinguish the current version of the document from other previous (and future) versions.

Remarks

A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.

While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.

A publisher of OSCAL content can use this data point along with its siblings published and last-modified to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.

oscal-version

string

[0 or 1]

OSCAL version

Description The OSCAL model version the document was authored against.

Remarks

Indicates the version of the OSCAL model to which this data set conforms, for example 1.1.0 or 1.0.0-M1. That can be used as a hint by a tool to indicate which version of the OSCAL XML or JSON schema to use for validation.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

document-id

string

[0 to ∞]

Document Identifier

Description A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element.

Remarks

This element is optional, but it will always have a valid value, as if it is missing the value of "document-id" is assumed to be equal to the UUID of the root. This requirement allows for document creators to retroactively link an update to the original version, by providing a document-id on the new document that is equal to the uuid of the original document.

Attribute (1)

scheme

uri

[0 or 1]

Document Identification Scheme

Description Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • https://www.doi.org/: A Digital Object Identifier (DOI); use is preferred, since this allows for retrieval of a full bibliographic record.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

role

element
(global definition)

[0 to ∞]

Role

Description Defines a function assumed or expected to be assumed by a party in a specific situation.

Remarks

Permissible values to be determined closer to the application (e.g. by a receiving authority).

Attribute (1)

id

NCName

[1]

Role Identifier

Description A unique identifier for a specific role instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same role across minor revisions of the document.

Remarks

OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.

Elements (6)

title

markup-line

[1]

Role Title

Description A name given to the role, which may be used by a tool for display and navigation.

short-name

string

[0 or 1]

Role Short Name

Description A short common name, abbreviation, or acronym for the role.

description

markup-multiline

[0 or 1]

Role Description

Description A summary of the role's purpose and associated responsibilities.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

location

element
(global definition)

[0 to ∞]

Location

Description A location, with associated metadata that can be referenced.

Constraints (3)

allowed value for prop/@name

The value may be locally defined, or the following:

  • type: Characterizes the kind of location.

allowed value for prop[@name='type']/@value

The value may be locally defined, or the following:

  • data-center: A location that contains computing assets. A class can be used to indicate a subclass of data-center.

allowed values for prop[@name='type' and @value='data-center']/@class

The value may be locally defined, or one of the following:

  • primary: The location is a data-center used for normal operations.
  • alternate: The location is a data-center used for fail-over or backup operations.
Attribute (1)

uuid

uuid

[1]

Location Universally Unique Identifier

Description A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.

Elements (8)

title

markup-line

[0 or 1]

Location Title

Description A name given to the location, which may be used by a tool for display and navigation.

address

element

[1]

Address

Description A postal address for the location.

Remarks

Typically, the physical address of the location will be used here. If this information is sensitive, then a mailing address can be used instead.

Attribute (1)
type

NCName

[0 or 1]

Address Type

Description Indicates the type of address.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • home: A home address.
  • work: A work address.
Elements (5)
addr-line

string

[0 to ∞]

Address line

Description A single line of an address.

city

string

[0 or 1]

City

Description City, town or geographical region for the mailing address.

state

string

[0 or 1]

State

Description State, province or analogous geographical region for mailing address

postal-code

string

[0 or 1]

Postal Code

Description Postal or ZIP code for mailing address

country

string

[0 or 1]

Country Code

Description The ISO 3166-1 alpha-2 country code for the mailing address.

Constraint (1)

matches: a target (value) must match the regular expression '[A-Z](2)'.

email-address

email

[0 to ∞]

Email Address

Description An email address as defined by RFC 5322 Section 3.4.1.

Remarks

This is a contact email associated with the location.

telephone-number

string

[0 to ∞]

Telephone Number

Description Contact number by telephone.

Remarks

A phone number used to contact the location.

Attribute (1)
type

string

[0 or 1]

type flag

Description Indicates the type of phone number.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • home: A home phone number.
  • office: An office phone number.
  • mobile: A mobile phone number.

url

uri

[0 to ∞]

Location URL

Description The uniform resource locator (URL) for a web site or Internet presence associated with the location.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

party

element
(global definition)

[0 to ∞]

Party (organization or person)

Description A responsible entity which is either a person or an organization.

Constraint (1)

allowed values for prop/@name

The value must be one of the following:

  • mail-stop: A mail stop associated with the party.
  • office: The name or number of the party's office.
  • job-title: The formal job title of a person.
Attributes (2)

uuid

uuid

[1]

Party Universally Unique Identifier

Description A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistantly used for a given party across revisions of the document.

type

string

[1]

Party Type

Description A category describing the kind of party the object describes.

Constraint (1)

allowed values

The value must be one of the following:

  • person: An individual.
  • organization: A group of individuals formed for a specific purpose.
Elements (11)

name

string

[0 or 1]

Party Name

Description The full name of the party. This is typically the legal name associated with the party.

short-name

string

[0 or 1]

Party Short Name

Description A short common name, abbreviation, or acronym for the party.

external-id

string

[0 to ∞]

Party External Identifier

Description An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID)

Attribute (1)
scheme

uri

[1]

External Identifier Schema

Description Indicates the type of external identifier.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • https://orcid.org/: The identifier is Open Researcher and Contributor ID (ORCID).

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

email-address

email

[0 to ∞]

Email Address

Description An email address as defined by RFC 5322 Section 3.4.1.

Remarks

This is a contact email associated with the party.

telephone-number

string

[0 to ∞]

Telephone Number

Description Contact number by telephone.

Remarks

A phone number used to contact the party.

Attribute (1)
type

string

[0 or 1]

type flag

Description Indicates the type of phone number.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • home: A home phone number.
  • office: An office phone number.
  • mobile: A mobile phone number.

A choice:

address

element

[0 to ∞]

Address

Description A postal address for the location.

Attribute (1)
type

NCName

[0 or 1]

Address Type

Description Indicates the type of address.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • home: A home address.
  • work: A work address.
Elements (5)
addr-line

string

[0 to ∞]

Address line

Description A single line of an address.

city

string

[0 or 1]

City

Description City, town or geographical region for the mailing address.

state

string

[0 or 1]

State

Description State, province or analogous geographical region for mailing address

postal-code

string

[0 or 1]

Postal Code

Description Postal or ZIP code for mailing address

country

string

[0 or 1]

Country Code

Description The ISO 3166-1 alpha-2 country code for the mailing address.

Constraint (1)

matches: a target (value) must match the regular expression '[A-Z](2)'.

location-uuid

uuid

[0 to ∞]

Location Reference

Description References a location defined in metadata.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) value()

member-of-organization

uuid

[0 to ∞]

Organizational Affiliation

Description Identifies that the party object is a member of the organization associated with the provided UUID.

Remarks

Parties of both the person or organization type can be associated with an organization using the member-of-organization.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-organizations-uuid using a key constructed of key field(s) value()

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

responsible-party

element
(global definition)

[0 to ∞]

Responsible Party

Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

Constraints (2)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

Attribute (1)

role-id

NCName

[1]

Responsible Role

Description The role that the party is responsible for.

Elements (4)

party-uuid

uuid

[1 to ∞]

Party Reference

Description References a party defined in metadata.

Remarks

Specifies one or more parties that are responsible for performing the associated role.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

import-ap

element
(global definition)

[1]

Import Assessment Plan

Description Used by assessment-results to import information about the original plan for assessing the system.

Remarks

Used by the SAR to import information about the original plan for assessing the system.

Attribute (1)

href

uri-reference

[1]

Assessment Plan Reference

Description >A resolvable URL reference to the assessment plan governing the assessment activities.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

local-definitions

element

[0 or 1]

Local Definitions

Description Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.

Elements (3)

objectives-and-methods

element
(global definition)

[0 to ∞]

Assessment-Specific Control Objective

Description A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.

Constraints (5)

allowed values for part

The value must be one of the following:

  • objective
  • assessment

has cardinality for part[@name='objective'] the cardinality of part[@name='objective'] is constrained: 0; maximum 1.

has cardinality for part[@name='assessment']/prop[@name='method'] the cardinality of part[@name='assessment']/prop[@name='method'] is constrained: 1; maximum 1.

has cardinality for part[@name='assessment']/part[@name='objects'] the cardinality of part[@name='assessment']/part[@name='objects'] is constrained: 1; maximum 1.

has cardinality for part[@name='objective']/prop[@name='method-id'] the cardinality of part[@name='objective']/prop[@name='method-id'] is constrained: 1; maximum unbounded.

Attribute (1)

control-id

NCName

[1]

Control Identifier Reference

Description A reference to a control identifier.

Remarks

The specified control-id must be a valid value within the baseline identified by the target system's SSP via the import-profile statement.

Elements (5)

description

markup-multiline

[0 or 1]

Objective Description

Description A human-readable description of this control objective.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

part

element
(global definition)

[1 to ∞]

Part

Description A partition of a control's definition or a child of another part.

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns "https://fedramp.gov", while DoD will use the ns "https://defense.gov" for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

Constraints (4)

allowed values for prop/@name

The value may be locally defined, or one of the following:

  • label: A human-readable label for the parent context.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.

allowed value for prop/@name

The value may be locally defined, or the following:

  • method: The assessment method to use. This typically appears on parts with the name "assessment".

has cardinality for prop[@name='method'] the cardinality of prop[@name='method'] is constrained: 1; maximum unbounded.

allowed values for prop[@name='method']/@value

The value must be one of the following:

  • INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
  • EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
  • TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
Attributes (4)
id

NCName

[0 or 1]

Part Identifier

Description A unique identifier for a specific part instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same part across minor revisions of the document.

name

NCName

[1]

Part Name

Description A textual label that uniquely identifies the part's semantic type.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • overview: An introduction to a control or a group of controls.
  • statement: A set of control implementation requirements.
  • item: An individual item within a control statement.
  • guidance: Additional information to consider when selecting, implementing, assessing, and monitoring a control.
  • objective: Describes a set of assessment objectives.
  • assessment: Describes a method-based assessment over a set of assessment objects.
  • objects: Provides a list of assessment objects.
ns

uri

[0 or 1]

Part Namespace

Description A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated text used in a part. This allows the semantics associated with a given name to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

class

NCName

[0 or 1]

Part Class

Description A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

A class can also be used in an OSCAL profile as a means to target an alteration to control content.

Elements (4+)
title

markup-line

[0 or 1]

Part Title

Description A name given to the part, which may be used by a tool for display and navigation.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

part

element
(global definition)

[0 to ∞]

Part

Description A partition of a control's definition or a child of another part.

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns "https://fedramp.gov", while DoD will use the ns "https://defense.gov" for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

Constraints (4)

allowed values for prop/@name

The value may be locally defined, or one of the following:

  • label: A human-readable label for the parent context.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.

allowed value for prop/@name

The value may be locally defined, or the following:

  • method: The assessment method to use. This typically appears on parts with the name "assessment".

has cardinality for prop[@name='method'] the cardinality of prop[@name='method'] is constrained: 1; maximum unbounded.

allowed values for prop[@name='method']/@value

The value must be one of the following:

  • INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
  • EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
  • TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

activity

element
(global definition)

[0 to ∞]

Activity

Description Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.

Constraints (3)

allowed value for prop/@name

The value may be locally defined, or the following:

  • method: The assessment method to use. This typically appears on parts with the name "assessment".

has cardinality for prop[@name='method'] the cardinality of prop[@name='method'] is constrained: 1; maximum unbounded.

allowed values for prop[@name='method']/@value

The value must be one of the following:

  • INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
  • EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
  • TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
Attribute (1)

uuid

uuid

[1]

Assessment Activity Universally Unique Identifier

Description Uniquely identifies this assessment activity. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for a given included activity across revisions of the document.

Elements (8)

title

markup-line

[0 or 1]

Included Activity Title

Description The title for this included activity.

description

markup-multiline

[1]

Included Activity Description

Description A human-readable description of this included activity.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

step

element

[0 to ∞]

Step

Description Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.

Attribute (1)
uuid

uuid

[1]

Step Universally Unique Identifier

Description Uniquely identifies a step. This UUID may be referenced elsewhere in an OSCAL document when referring to this step. A UUID should be consistently used for a given test step across revisions of the document.

Elements (7)
title

markup-line

[0 or 1]

Step Title

Description The title for this step.

description

markup-multiline

[1]

Step Description

Description A human-readable description of this step.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

reviewed-controls

element
(global definition)

[0 or 1]

Reviewed Controls and Control Objectives

Description Identifies the controls being assessed and their control objectives.

Remarks

In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.

When resolving the selection of controls and control objectives, the following processing will occur:

1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.

2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.

This can be optionally used to define the set of controls and control objectives that are assessed by this step.

Elements (6)
description

markup-multiline

[0 or 1]

Control Objective Description

Description A human-readable description of control objectives.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

control-selection

element

[1 to ∞]

Assessed Controls

Description Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.

Remarks

The include-all, specifies all control identified in the baseline are included in the scope if this assessment, as specified by the include-profile statement within the linked SSP.

Any control specified within exclude-controls must first be within a range of explicitly included controls, via include-controls or include-all.

Elements (7)

description

markup-multiline

[0 or 1]

Assessed Controls Description

Description A human-readable description of in-scope controls specified for assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-control

element

[1 to ∞]

Select Control

Description Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.

Remarks

Used to select a control for inclusion by the control's identifier. Specific control statements can be selected by their statement identifier.

Attribute (1)

control-id

NCName

[1]

Control Identifier Reference

Description A reference to a control identifier.

Element (1)

statement-id

NCName

[0 to ∞]

Include Specific Statements

Description Used to constrain the selection to only specificity identified statements.

exclude-control

element

[0 to ∞]

Select Control

Description Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.

Remarks

Used to select a control for exclusion by the control's identifier. Specific control statements can be excluded by their statement identifier.

Attribute (1)

control-id

NCName

[1]

Control Identifier Reference

Description A reference to a control identifier.

Element (1)

statement-id

NCName

[0 to ∞]

Include Specific Statements

Description Used to constrain the selection to only specificity identified statements.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

control-objective-selection

element

[0 to ∞]

Referened Control Objectives

Description Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.

Remarks

The include-all field, specifies all control objectives for any in-scope control. In-scope controls are defined in the control-selection.

Any control objective specified within exclude-controls must first be within a range of explicitly included control objectives, via include-objectives or include-all.

Elements (7)

description

markup-multiline

[0 or 1]

Control Objectives Description

Description A human-readable description of this collection of control objectives.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-objective

empty

[1 to ∞]

Select Objective

Description Used to select a control objective for inclusion/exclusion based on the control objective's identifier.

Remarks

Used to select a control objective for inclusion by the control objective's identifier.

Attribute (1)

objective-id

NCName

[1]

Objective ID

Description Points to an assessment objective.

exclude-objective

empty

[0 to ∞]

Select Objective

Description Used to select a control objective for inclusion/exclusion based on the control objective's identifier.

Remarks

Used to select a control objective for exclusion by the control objective's identifier.

Attribute (1)

objective-id

NCName

[1]

Objective ID

Description Points to an assessment objective.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

responsible-role

element
(global definition)

[0 to ∞]

Responsible Role

Description A reference to one or more roles with responsibility for performing a function relative to the containing object.

Remarks

Identifies the roles, and optionally the parties, associated with this step that is part of an assessment activity.

Attribute (1)
role-id

NCName

[1]

Responsible Role ID

Description The role that is responsible for the business function.

Elements (4)
prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

party-uuid

uuid

[0 to ∞]

Party Reference

Description References a party defined in metadata.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

related-controls

element
(global definition)

[0 or 1]

Reviewed Controls and Control Objectives

Description Identifies the controls being assessed and their control objectives.

Remarks

In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.

When resolving the selection of controls and control objectives, the following processing will occur:

1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.

2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.

This can be optionally used to define the set of controls and control objectives that are assessed or remediated by this activity.

Elements (6)
description

markup-multiline

[0 or 1]

Control Objective Description

Description A human-readable description of control objectives.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

control-selection

element

[1 to ∞]

Assessed Controls

Description Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.

Remarks

The include-all, specifies all control identified in the baseline are included in the scope if this assessment, as specified by the include-profile statement within the linked SSP.

Any control specified within exclude-controls must first be within a range of explicitly included controls, via include-controls or include-all.

Elements (7)
description

markup-multiline

[0 or 1]

Assessed Controls Description

Description A human-readable description of in-scope controls specified for assessment.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-control

element

[1 to ∞]

Select Control

Description Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.

Remarks

Used to select a control for inclusion by the control's identifier. Specific control statements can be selected by their statement identifier.

Attribute (1)

control-id

NCName

[1]

Control Identifier Reference

Description A reference to a control identifier.

Element (1)

statement-id

NCName

[0 to ∞]

Include Specific Statements

Description Used to constrain the selection to only specificity identified statements.

exclude-control

element

[0 to ∞]

Select Control

Description Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.

Remarks

Used to select a control for exclusion by the control's identifier. Specific control statements can be excluded by their statement identifier.

Attribute (1)

control-id

NCName

[1]

Control Identifier Reference

Description A reference to a control identifier.

Element (1)

statement-id

NCName

[0 to ∞]

Include Specific Statements

Description Used to constrain the selection to only specificity identified statements.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

control-objective-selection

element

[0 to ∞]

Referened Control Objectives

Description Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.

Remarks

The include-all field, specifies all control objectives for any in-scope control. In-scope controls are defined in the control-selection.

Any control objective specified within exclude-controls must first be within a range of explicitly included control objectives, via include-objectives or include-all.

Elements (7)
description

markup-multiline

[0 or 1]

Control Objectives Description

Description A human-readable description of this collection of control objectives.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-objective

empty

[1 to ∞]

Select Objective

Description Used to select a control objective for inclusion/exclusion based on the control objective's identifier.

Remarks

Used to select a control objective for inclusion by the control objective's identifier.

Attribute (1)

objective-id

NCName

[1]

Objective ID

Description Points to an assessment objective.

exclude-objective

empty

[0 to ∞]

Select Objective

Description Used to select a control objective for inclusion/exclusion based on the control objective's identifier.

Remarks

Used to select a control objective for exclusion by the control objective's identifier.

Attribute (1)

objective-id

NCName

[1]

Objective ID

Description Points to an assessment objective.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

responsible-role

element
(global definition)

[0 to ∞]

Responsible Role

Description A reference to one or more roles with responsibility for performing a function relative to the containing object.

Remarks

Identifies the roles, and optionally the parties, associated with this assessment activity.

Attribute (1)
role-id

NCName

[1]

Responsible Role ID

Description The role that is responsible for the business function.

Elements (4)
prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

party-uuid

uuid

[0 to ∞]

Party Reference

Description References a party defined in metadata.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

result

element
(global definition)

[1 to ∞]

Assessment Result

Description Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition.

Attribute (1)

uuid

uuid

[1]

Results Universally Unique Identifier

Description Uniquely identifies this set of results. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given set of results across revisions.

Elements (14)

title

markup-line

[1]

Results Title

Description The title for this set of results.

description

markup-multiline

[1]

Results Description

Description A human-readable description of this set of test results.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

start

dateTime-with-timezone

[1]

start field

Description Date/time stamp identifying the start of the evidence collection reflected in these results.

end

dateTime-with-timezone

[0 or 1]

end field

Description Date/time stamp identifying the end of the evidence collection reflected in these results. In a continuous motoring scenario, this may contain the same value as start if appropriate.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

local-definitions

element

[0 or 1]

Local Definitions

Description Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.

Elements (5)

component

element
(global definition)

[0 to ∞]

Component

Description A defined component that can be part of an implemented system.

Remarks

Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

The type indicates which of these component types is represented.

When defining a service component where are relationship to other components is known, one or more link entries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.

Used to add any components, not defined via the System Security Plan (AR->AP->SSP)

Constraints (23)

allowed values for prop/@name

The value may be locally defined, or one of the following:

  • implementation-point: Relative placement of component ('internal' or 'external') to the system.
  • leveraged-authorization-uuid: UUID of the related leveraged-authorization assembly in this SSP.
  • inherited-uuid: UUID of the component as it was assigned in the leveraged system's SSP.
  • asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
  • asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
  • asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
  • public: Identifies whether the asset is publicly accessible (yes/no)
  • virtual: Identifies whether the asset is virtualized (yes/no)
  • vlan-id: Virtual LAN identifier of the asset.
  • network-id: The network identifier of the asset.
  • label: A human-readable label for the parent context.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • baseline-configuration-name: The name of the baseline configuration for the asset.
  • allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
  • function: The function provided by the asset for the system.
  • version: The version of the component.
  • patch-level: The specific patch level of the component.
  • model: The model of the component.
  • release-date: The date the component was released, such as a software release date or policy publication date.
  • validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
  • validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.

allowed values for link/@rel

The value may be locally defined, or one of the following:

  • depends-on: A reference to another component that this component has a dependency on.
  • validation: A reference to another component of component-type=validation, that is a validation (e.g., FIPS 140-2) for this component
  • proof-of-compliance: A pointer to a validation record (e.g., FIPS 140-2) or other compliance information.
  • baseline-template: A reference to the baseline template used to configure the asset.
  • uses-service: This service is used by the referenced component identifier.
  • system-security-plan: A link to the system security plan of the external system.
  • uses-network: This component uses the network provided by the identified network component.

allowed values for responsible-role/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
  • maintainer: Responsible for the creation and maintenance of a component.
  • provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).

allowed values for prop[@name='asset-type']/@value

The value must be one of the following:

  • operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
  • database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
  • web-server: A system that delivers content or services to end users over the Internet or an intranet.
  • dns-server: A system that resolves domain names to internet protocol (IP) addresses.
  • email-server: A computer system that sends and receives electronic mail messages.
  • directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
  • pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
  • firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
  • router: A physical or virtual networking device that forwards data packets between computer networks.
  • switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
  • storage-array: A consolidated, block-level data storage capability.
  • appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.

allowed values for prop[@name='allows-authenticated-scan']/@value

The value must be one of the following:

  • yes: The component allows an authenticated scan.
  • no: The component does not allow an authenticated scan.

allowed values for prop[@name='public']/@value

The value must be one of the following:

  • yes: The component is publicly accessible.
  • no: The component is not publicly accessible.

allowed values for prop[@name='virtual']/@value

The value must be one of the following:

  • yes: The component is virtualized.
  • no: The component is not virtualized.

allowed values for prop[@name='implementation-point']/@value

The value must be one of the following:

  • inteneral: The component is implemented within the system boundary.
  • external: The component is implemented outside the system boundary.

index has key for prop[@name='physical-location']this value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) @value

matches for prop[@name='inherited-uuid']/@value: the target value must match the lexical form of the 'uuid' data type.

matches for prop[@name='release-date']/@value: the target value must match the lexical form of the 'date' data type.

allowed value for (.)[@type=('software', 'hardware', 'service')]/prop/@name

The value may be locally defined, or the following:

  • vendor-name: The name of the company or organization

allowed value for (.)[@type='validation']/link/@rel

The value may be locally defined, or the following:

  • validation-details: A link to an online information provided by the authorizing body.

allowed value for (.)[@type='software']/prop/@name

The value may be locally defined, or the following:

  • software-identifier: If a "software" component-type, the identifier, such as a SWID tag, for the software component.

allowed values for (.)[@type='service']/link/@rel

The value may be locally defined, or one of the following:

  • provided-by: This service is provided by the referenced component identifier.
  • used-by: This service is used by the referenced component identifier.

allowed values for (.)[@type='interconnection']/prop/@name

The value may be locally defined, or one of the following:

  • isa-title: Title of the Interconnection Security Agreement (ISA).
  • isa-date: Date of the Interconnection Security Agreement (ISA).
  • isa-remote-system-name: The name of the remote interconnected system.
  • ipv4-address: An Internet Protocol Version 4 interconnection address
  • ipv6-address: An Internet Protocol Version 6 interconnection address
  • direction: An Internet Protocol Version 6 interconnection address

allowed values for prop[(@name=('ipv4-address','ipv6-address')]/@class

The value may be locally defined, or one of the following:

  • local: The identified IP address is for this system.
  • remote: The identified IP address is for the remote system to which this system is connected.

allowed value for (.)[@type='interconnection']/link/@rel

The value may be locally defined, or the following:

  • isa-agreement: A link to the system interconnection agreement.

allowed values for (.)[@type='interconnection']/responsible-role/@role-id

The value may be locally defined, or one of the following:

  • isa-poc-local: Interconnection Security Agreement (ISA) point of contact (POC) for this system.
  • isa-poc-remote: Interconnection Security Agreement (ISA) point of contact (POC) for the remote interconnected system.
  • isa-authorizing-official-local: Interconnection Security Agreement (ISA) authorizing official for this system.
  • isa-authorizing-official-remote: Interconnection Security Agreement (ISA) authorizing official for the remote interconnected system.

matches for prop[@name='isa-date']/@value: the target value must match the lexical form of the 'dateTime' data type.

matches for prop[@name='ipv4-address']/@value: the target value must match the lexical form of the 'ip-v4-address' data type.

matches for prop[@name='ipv6-address']/@value: the target value must match the lexical form of the 'ip-v6-address' data type.

allowed values for prop[@name='direction')]/@value

The value may be locally defined, or one of the following:

  • incoming: Data from the remote system flows into this system.
  • outgoing: Data from this system flows to the remote system.
Attributes (2)
uuid

uuid

[1]

Component Identifier

Description The unique identifier for the component.

type

string

[1]

Component Type

Description A category describing the purpose of the component.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • this-system: The system as a whole.
  • system: An external system, which may be a leveraged system or the other side of an interconnection.
  • interconnection: A connection to something outside this system.
  • software: Any software, operating system, or firmware.
  • hardware: A physical device.
  • service: A service that may provide APIs.
  • policy: An enforcable policy.
  • physical: A tangible asset used to provide physical protections or countermeasures.
  • process-procedure: A list of steps or actions to take to achieve some end result.
  • plan: An applicable plan.
  • guidance: Any guideline or recommendation.
  • standard: Any organizational or industry standard.
  • validation: An external assessment performed on some other component, that has been validated by a third-party.
  • network: A physical or virtual network.
Elements (9)
title

markup-line

[1]

Component Title

Description A human readable name for the system component.

description

markup-multiline

[1]

Component Description

Description A description of the component, including information about its function.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

purpose

markup-line

[0 or 1]

Purpose

Description A summary of the technological or business purpose of the component.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

status

element

[1]

Status

Description Describes the operational status of the system component.

Attribute (1)
state

NCName

[1]

State

Description The operational status.

Constraint (1)

allowed values

The value must be one of the following:

  • under-development: The component is being designed, developed, or implemented.
  • operational: The component is currently operational and is available for use in the system.
  • disposition: The component is no longer operational.
  • other: Some other state.
Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

responsible-role

element
(global definition)

[0 to ∞]

Responsible Role

Description A reference to one or more roles with responsibility for performing a function relative to the containing object.

Attribute (1)
role-id

NCName

[1]

Responsible Role ID

Description The role that is responsible for the business function.

Elements (4)
prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

party-uuid

uuid

[0 to ∞]

Party Reference

Description References a party defined in metadata.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

protocol

element
(global definition)

[0 to ∞]

Service Protocol Information

Description Information about the protocol used to provide a service.

Remarks

Used for service components to define the protocols supported by the service.

Attributes (2)
uuid

uuid

[0 or 1]

Service Protocol Information Universally Unique Identifier

Description A globally unique identifier that can be used to reference this service protocol entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.

name

string

[1]

Protocol Name

Description The common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry.

Remarks

The short name of the protocol (e.g., https).

Elements (2)
title

markup-line

[0 or 1]

Protocol Title

Description A human readable name for the protocol (e.g., Transport Layer Security).

port-range

empty

[0 to ∞]

Port Range

Description Where applicable this is the IPv4 port range on which the service operates.

Remarks

To be validated as a natural number (integer >= 1). A single port uses the same value for start and end. Use multiple 'port-range' entries for non-contiguous ranges.

Attributes (3)

start

nonNegativeInteger

[0 or 1]

Start

Description Indicates the starting port number in a port range

Remarks

Should be a number within a permitted range

Description Indicates the ending port number in a port range

Remarks

Should be a number within a permitted range

transport

NCName

[0 or 1]

Transport

Description Indicates the transport type.

Constraint (1)

allowed values

The value must be one of the following:

  • TCP: Transmission Control Protocol
  • UDP: User Datagram Protocol
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

inventory-item

element
(global definition)

[0 to ∞]

Inventory Item

Description A single managed inventory item within the system.

Remarks

Used to add any inventory-items, not defined via the System Security Plan (AR->AP->SSP)

Constraints (8)

allowed values for prop/@name

The value may be locally defined, or one of the following:

  • ipv4-address: The Internet Protocol v4 Address of the asset.
  • ipv6-address: The Internet Protocol v6 Address of the asset.
  • fqdn: The full-qualified domain name (FQDN) of the asset.
  • uri: A Uniform Resource Identifier (URI) for the asset.
  • serial-number: A serial number for the asset.
  • netbios-name: The NetBIOS name for the asset.
  • mac-address: The media access control (MAC) address for the asset.
  • physical-location: The physical location of the asset's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful location identifiers).
  • is-scanned: is the asset subjected to network scans? (yes/no)
  • hardware-model: The model number of the hardware used by the asset.
  • os-name: The name of the operating system used by the asset.
  • os-version: The version of the operating system used by the asset.
  • software-name: The software product name used by the asset.
  • software-version: The software product version used by the asset.
  • software-patch-level: The software product patch level used by the asset.
  • asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
  • asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
  • asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
  • public: Identifies whether the asset is publicly accessible (yes/no)
  • virtual: Identifies whether the asset is virtualized (yes/no)
  • vlan-id: Virtual LAN identifier of the asset.
  • network-id: The network identifier of the asset.
  • label: A human-readable label for the parent context.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • baseline-configuration-name: The name of the baseline configuration for the asset.
  • allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
  • function: The function provided by the asset for the system.

allowed values for prop[@name='asset-type']/@value

The value must be one of the following:

  • operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
  • database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
  • web-server: A system that delivers content or services to end users over the Internet or an intranet.
  • dns-server: A system that resolves domain names to internet protocol (IP) addresses.
  • email-server: A computer system that sends and receives electronic mail messages.
  • directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
  • pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
  • firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
  • router: A physical or virtual networking device that forwards data packets between computer networks.
  • switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
  • storage-array: A consolidated, block-level data storage capability.
  • appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.

allowed value for (.)[@type=('software', 'hardware', 'service')]/prop/@name

The value may be locally defined, or the following:

  • vendor-name: The name of the company or organization

allowed values for prop[@name='is-scanned']/@value

The value must be one of the following:

  • yes: The asset is included in periodic vulnerability scanning.
  • no: The asset is not included in periodic vulnerability scanning.

allowed value for link/@rel

The value may be locally defined, or the following:

  • baseline-template: A reference to the baseline template used to configure the asset.

allowed values for responsible-party/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
  • maintainer: Responsible for the creation and maintenance of a component.
  • provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).

index has key for responsible-partythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for responsible-partythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) @party-uuid

Attribute (1)
uuid

uuid

[1]

Inventory Item Universally Unique Identifier

Description A globally unique identifier that can be used to reference this inventory item entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.

Elements (6)
description

markup-multiline

[1]

Inventory Item Description

Description A summary of the inventory item stating its purpose within the system.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

responsible-party

element
(global definition)

[0 to ∞]

Responsible Party

Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

Constraints (2)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

Attribute (1)
role-id

NCName

[1]

Responsible Role

Description The role that the party is responsible for.

Elements (4)
party-uuid

uuid

[1 to ∞]

Party Reference

Description References a party defined in metadata.

Remarks

Specifies one or more parties that are responsible for performing the associated role.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

implemented-component

element

[0 to ∞]

Implemented Component

Description The set of components that are implemented in a given system inventory item.

Constraints (3)

allowed values for prop/@name

The value may be locally defined, or one of the following:

  • version: The version of the component.
  • patch-level: The specific patch level of the component.
  • model: The model of the component.
  • release-date: The date the component was released, such as a software release date or policy publication date.
  • validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
  • validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.
  • asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
  • asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
  • asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
  • public: Identifies whether the asset is publicly accessible (yes/no)
  • virtual: Identifies whether the asset is virtualized (yes/no)
  • vlan-id: Virtual LAN identifier of the asset.
  • network-id: The network identifier of the asset.
  • label: A human-readable label for the parent context.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • baseline-configuration-name: The name of the baseline configuration for the asset.
  • allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
  • function: The function provided by the asset for the system.

has cardinality for prop[@name='asset-id'] the cardinality of prop[@name='asset-id'] is constrained: 1; maximum unbounded.

allowed values for responsible-party/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
Attribute (1)
component-uuid

uuid

[1]

Component Universally Unique Identifier Reference

Description A reference to a component that is implemented as part of an inventory item.

Elements (4)
prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

responsible-party

element
(global definition)

[0 to ∞]

Responsible Party

Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

Remarks

This construct is used to either: 1) associate a party or parties to a role defined on the component using the responsible-role construct, or 2) to define a party or parties that are responsible for a role defined within the context of the containing inventory-item.

Constraints (2)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

Attribute (1)

role-id

NCName

[1]

Responsible Role

Description The role that the party is responsible for.

Elements (4)

party-uuid

uuid

[1 to ∞]

Party Reference

Description References a party defined in metadata.

Remarks

Specifies one or more parties that are responsible for performing the associated role.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

user

element
(global definition)

[0 to ∞]

System User

Description A type of user that interacts with the system based on an associated role.

Remarks

Permissible values to be determined closer to the application, such as by a receiving authority.

Used to add any users, not defined via the System Security Plan (AR->AP->SSP)

Constraints (4)

allowed values for prop/@name

The value may be locally defined, or one of the following:

  • type: The type of user, such as internal, external, or general-public.
  • privilege-level: The user's privilege level within the system, such as privileged, non-privileged, no-logical-access.

allowed values for prop[@name='type']/@value

The value must be one of the following:

  • internal: A user account for a person or entity that is part of the organization who owns or operates the system.
  • external: A user account for a person or entity that is not part of the organization who owns or operates the system.
  • general-public: A user of the system considered to be outside

allowed values for prop[@name='privilege-level']/@value

The value must be one of the following:

  • privileged: This role has elevated access to the system, such as a group or system administrator.
  • non-privileged: This role has typical user-level access to the system without elevated access.
  • no-logical-access: This role has no access to the system, such as a manager who approves access as part of a process.

allowed values for role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
Attribute (1)
uuid

uuid

[1]

User Universally Unique Identifier

Description The unique identifier for the user class.

Elements (8)
title

markup-line

[0 or 1]

User Title

Description A name given to the user, which may be used by a tool for display and navigation.

short-name

string

[0 or 1]

User Short Name

Description A short common name, abbreviation, or acronym for the user.

description

markup-multiline

[0 or 1]

User Description

Description A summary of the user's purpose within the system.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

role-id

NCName

[0 to ∞]

Role Identifier Reference

Description A reference to the roles served by the user.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) value()

authorized-privilege

element
(global definition)

[0 to ∞]

Privilege

Description Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.

Elements (3)
title

markup-line

[1]

Privilege Title

Description A human readable name for the privilege.

description

markup-multiline

[0 or 1]

Privilege Description

Description A summary of the privilege's purpose within the system.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

function-performed

string

[1 to ∞]

Functions Performed

Description Describes a function performed for a given authorized privilege by this user class.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

assessment-assets

element
(global definition)

[0 or 1]

Assessment Assets

Description Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.

Remarks

This needs to be defined in the results if an assessment platform used is different from the one described in the assessment plan. Else the platform(s) defined in the plan may be referenced within the results.

Elements (2)
component

element
(global definition)

[0 to ∞]

Component

Description A defined component that can be part of an implemented system.

Remarks

Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

The type indicates which of these component types is represented.

When defining a service component where are relationship to other components is known, one or more link entries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.

Used to add any components for tools used during the assessment. These are represented here to avoid mixing with system components.

The technology tools used by the assessor to perform the assessment, such as vulnerability scanners. In the assessment plan these are the intended tools. In the assessment results, these are the actual tools used, including any differences from the assessment plan.

Constraints (23)

allowed values for prop/@name

The value may be locally defined, or one of the following:

  • implementation-point: Relative placement of component ('internal' or 'external') to the system.
  • leveraged-authorization-uuid: UUID of the related leveraged-authorization assembly in this SSP.
  • inherited-uuid: UUID of the component as it was assigned in the leveraged system's SSP.
  • asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
  • asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
  • asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
  • public: Identifies whether the asset is publicly accessible (yes/no)
  • virtual: Identifies whether the asset is virtualized (yes/no)
  • vlan-id: Virtual LAN identifier of the asset.
  • network-id: The network identifier of the asset.
  • label: A human-readable label for the parent context.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • baseline-configuration-name: The name of the baseline configuration for the asset.
  • allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
  • function: The function provided by the asset for the system.
  • version: The version of the component.
  • patch-level: The specific patch level of the component.
  • model: The model of the component.
  • release-date: The date the component was released, such as a software release date or policy publication date.
  • validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
  • validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.

allowed values for link/@rel

The value may be locally defined, or one of the following:

  • depends-on: A reference to another component that this component has a dependency on.
  • validation: A reference to another component of component-type=validation, that is a validation (e.g., FIPS 140-2) for this component
  • proof-of-compliance: A pointer to a validation record (e.g., FIPS 140-2) or other compliance information.
  • baseline-template: A reference to the baseline template used to configure the asset.
  • uses-service: This service is used by the referenced component identifier.
  • system-security-plan: A link to the system security plan of the external system.
  • uses-network: This component uses the network provided by the identified network component.

allowed values for responsible-role/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
  • maintainer: Responsible for the creation and maintenance of a component.
  • provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).

allowed values for prop[@name='asset-type']/@value

The value must be one of the following:

  • operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
  • database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
  • web-server: A system that delivers content or services to end users over the Internet or an intranet.
  • dns-server: A system that resolves domain names to internet protocol (IP) addresses.
  • email-server: A computer system that sends and receives electronic mail messages.
  • directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
  • pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
  • firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
  • router: A physical or virtual networking device that forwards data packets between computer networks.
  • switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
  • storage-array: A consolidated, block-level data storage capability.
  • appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.

allowed values for prop[@name='allows-authenticated-scan']/@value

The value must be one of the following:

  • yes: The component allows an authenticated scan.
  • no: The component does not allow an authenticated scan.

allowed values for prop[@name='public']/@value

The value must be one of the following:

  • yes: The component is publicly accessible.
  • no: The component is not publicly accessible.

allowed values for prop[@name='virtual']/@value

The value must be one of the following:

  • yes: The component is virtualized.
  • no: The component is not virtualized.

allowed values for prop[@name='implementation-point']/@value

The value must be one of the following:

  • inteneral: The component is implemented within the system boundary.
  • external: The component is implemented outside the system boundary.

index has key for prop[@name='physical-location']this value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) @value

matches for prop[@name='inherited-uuid']/@value: the target value must match the lexical form of the 'uuid' data type.

matches for prop[@name='release-date']/@value: the target value must match the lexical form of the 'date' data type.

allowed value for (.)[@type=('software', 'hardware', 'service')]/prop/@name

The value may be locally defined, or the following:

  • vendor-name: The name of the company or organization

allowed value for (.)[@type='validation']/link/@rel

The value may be locally defined, or the following:

  • validation-details: A link to an online information provided by the authorizing body.

allowed value for (.)[@type='software']/prop/@name

The value may be locally defined, or the following:

  • software-identifier: If a "software" component-type, the identifier, such as a SWID tag, for the software component.

allowed values for (.)[@type='service']/link/@rel

The value may be locally defined, or one of the following:

  • provided-by: This service is provided by the referenced component identifier.
  • used-by: This service is used by the referenced component identifier.

allowed values for (.)[@type='interconnection']/prop/@name

The value may be locally defined, or one of the following:

  • isa-title: Title of the Interconnection Security Agreement (ISA).
  • isa-date: Date of the Interconnection Security Agreement (ISA).
  • isa-remote-system-name: The name of the remote interconnected system.
  • ipv4-address: An Internet Protocol Version 4 interconnection address
  • ipv6-address: An Internet Protocol Version 6 interconnection address
  • direction: An Internet Protocol Version 6 interconnection address

allowed values for prop[(@name=('ipv4-address','ipv6-address')]/@class

The value may be locally defined, or one of the following:

  • local: The identified IP address is for this system.
  • remote: The identified IP address is for the remote system to which this system is connected.

allowed value for (.)[@type='interconnection']/link/@rel

The value may be locally defined, or the following:

  • isa-agreement: A link to the system interconnection agreement.

allowed values for (.)[@type='interconnection']/responsible-role/@role-id

The value may be locally defined, or one of the following:

  • isa-poc-local: Interconnection Security Agreement (ISA) point of contact (POC) for this system.
  • isa-poc-remote: Interconnection Security Agreement (ISA) point of contact (POC) for the remote interconnected system.
  • isa-authorizing-official-local: Interconnection Security Agreement (ISA) authorizing official for this system.
  • isa-authorizing-official-remote: Interconnection Security Agreement (ISA) authorizing official for the remote interconnected system.

matches for prop[@name='isa-date']/@value: the target value must match the lexical form of the 'dateTime' data type.

matches for prop[@name='ipv4-address']/@value: the target value must match the lexical form of the 'ip-v4-address' data type.

matches for prop[@name='ipv6-address']/@value: the target value must match the lexical form of the 'ip-v6-address' data type.

allowed values for prop[@name='direction')]/@value

The value may be locally defined, or one of the following:

  • incoming: Data from the remote system flows into this system.
  • outgoing: Data from this system flows to the remote system.
Attributes (2)
uuid

uuid

[1]

Component Identifier

Description The unique identifier for the component.

type

string

[1]

Component Type

Description A category describing the purpose of the component.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • this-system: The system as a whole.
  • system: An external system, which may be a leveraged system or the other side of an interconnection.
  • interconnection: A connection to something outside this system.
  • software: Any software, operating system, or firmware.
  • hardware: A physical device.
  • service: A service that may provide APIs.
  • policy: An enforcable policy.
  • physical: A tangible asset used to provide physical protections or countermeasures.
  • process-procedure: A list of steps or actions to take to achieve some end result.
  • plan: An applicable plan.
  • guidance: Any guideline or recommendation.
  • standard: Any organizational or industry standard.
  • validation: An external assessment performed on some other component, that has been validated by a third-party.
  • network: A physical or virtual network.
Elements (9)
title

markup-line

[1]

Component Title

Description A human readable name for the system component.

description

markup-multiline

[1]

Component Description

Description A description of the component, including information about its function.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

purpose

markup-line

[0 or 1]

Purpose

Description A summary of the technological or business purpose of the component.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

status

element

[1]

Status

Description Describes the operational status of the system component.

Attribute (1)

state

NCName

[1]

State

Description The operational status.

Constraint (1)

allowed values

The value must be one of the following:

  • under-development: The component is being designed, developed, or implemented.
  • operational: The component is currently operational and is available for use in the system.
  • disposition: The component is no longer operational.
  • other: Some other state.
Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

responsible-role

element
(global definition)

[0 to ∞]

Responsible Role

Description A reference to one or more roles with responsibility for performing a function relative to the containing object.

Attribute (1)

role-id

NCName

[1]

Responsible Role ID

Description The role that is responsible for the business function.

Elements (4)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

party-uuid

uuid

[0 to ∞]

Party Reference

Description References a party defined in metadata.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

protocol

element
(global definition)

[0 to ∞]

Service Protocol Information

Description Information about the protocol used to provide a service.

Remarks

Used for service components to define the protocols supported by the service.

Attributes (2)

uuid

uuid

[0 or 1]

Service Protocol Information Universally Unique Identifier

Description A globally unique identifier that can be used to reference this service protocol entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.

name

string

[1]

Protocol Name

Description The common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry.

Remarks

The short name of the protocol (e.g., https).

Elements (2)

title

markup-line

[0 or 1]

Protocol Title

Description A human readable name for the protocol (e.g., Transport Layer Security).

port-range

empty

[0 to ∞]

Port Range

Description Where applicable this is the IPv4 port range on which the service operates.

Remarks

To be validated as a natural number (integer >= 1). A single port uses the same value for start and end. Use multiple 'port-range' entries for non-contiguous ranges.

Attributes (3)

start

nonNegativeInteger

[0 or 1]

Start

Description Indicates the starting port number in a port range

Remarks

Should be a number within a permitted range

Description Indicates the ending port number in a port range

Remarks

Should be a number within a permitted range

transport

NCName

[0 or 1]

Transport

Description Indicates the transport type.

Constraint (1)

allowed values

The value must be one of the following:

  • TCP: Transmission Control Protocol
  • UDP: User Datagram Protocol
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

assessment-platform

element

[1 to ∞]

Assessment Platform

Description Used to represent the toolset used to perform aspects of the assessment.

Attribute (1)
uuid

uuid

[1]

Assessment Platform Universally Unique Identifier

Description Uniquely identifies this assessment Platform.

Elements (5)
title

markup-line

[0 or 1]

Assessment Platform Title

Description The title or name for the assessment platform.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

uses-component

element

[0 to ∞]

Uses Component

Description The set of components that are used by the assessment platform.

Attribute (1)

component-uuid

uuid

[1]

Component Universally Unique Identifier Reference

Description A reference to a component that is implemented as part of an inventory item.

Elements (4)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

responsible-party

element
(global definition)

[0 to ∞]

Responsible Party

Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

Remarks

This construct is used to either: 1) associate a party or parties to a role defined on the component using the responsible-role construct, or 2) to define a party or parties that are responsible for a role defined within the context of the containing inventory-item.

Constraints (2)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

Attribute (1)

role-id

NCName

[1]

Responsible Role

Description The role that the party is responsible for.

Elements (4)

party-uuid

uuid

[1 to ∞]

Party Reference

Description References a party defined in metadata.

Remarks

Specifies one or more parties that are responsible for performing the associated role.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

assessment-task

element
(global definition)

[0 to ∞]

Task

Description Represents a scheduled event or milestone, which may be associated with a series of assessment actions.

Attributes (2)
uuid

uuid

[1]

Task Universally Unique Identifier

Description Uniquely identifies this assessment task.

type

NCName

[1]

Task Type

Description The type of task.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • milestone: The task represents a planned milestone.
  • action: The task represents a specific assessment action to be performed.
Elements (11)
title

markup-line

[1]

Task Title

Description The title for this task.

description

markup-multiline

[0 or 1]

Task Description

Description A human-readable description of this task.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

timing

element

[0 or 1]

Event Timing

Description The timing under which the task is intended to occur.

Elements (3)

A choice:

on-date

empty

[1]

On Date Condition

Description The task is intended to occur on the specified date.

Attribute (1)

date

dateTime-with-timezone

[1]

On Date Condition

Description The task must occur on the specified date.

within-date-range

empty

[1]

On Date Range Condition

Description The task is intended to occur within the specified date range.

Attributes (2)

start

dateTime-with-timezone

[1]

Start Date Condition

Description The task must occur on or after the specified date.

end

dateTime-with-timezone

[1]

End Date Condition

Description The task must occur on or before the specified date.

at-frequency

empty

[1]

Frequency Condition

Description The task is intended to occur at the specified frequency.

Attributes (2)

period

positiveInteger

[1]

Period

Description The task must occur after the specified period has elapsed.

unit

string

[1]

Time Unit

Description The unit of time for the period.

Constraint (1)

allowed values

The value must be one of the following:

  • seconds: The period is specified in seconds.
  • minutes: The period is specified in minutes.
  • hours: The period is specified in hours.
  • days: The period is specified in days.
  • months: The period is specified in calendar months.
  • years: The period is specified in calendar years.
dependency

element

[0 to ∞]

Task Dependency

Description Used to indicate that a task is dependant on another task.

Attribute (1)
task-uuid

uuid

[1]

Task Universally Unique Identifier Reference

Description References a unique task by UUID.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

task

element
(global definition)

[0 to ∞]

Task

Description Represents a scheduled event or milestone, which may be associated with a series of assessment actions.

associated-activity

element

[0 to ∞]

Associated Activity

Description Identifies an individual activity to be performed as part of a task.

Attribute (1)
activity-uuid

uuid

[1]

Activity Universally Unique Identifier Reference

Description References an activity defined in the list of activities.

Elements (6)
prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

responsible-role

element
(global definition)

[0 to ∞]

Responsible Role

Description A reference to one or more roles with responsibility for performing a function relative to the containing object.

Remarks

Identifies the person or organization responsible for performing a specific role defined by the activity.

Attribute (1)

role-id

NCName

[1]

Responsible Role ID

Description The role that is responsible for the business function.

Elements (4)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

party-uuid

uuid

[0 to ∞]

Party Reference

Description References a party defined in metadata.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

A choice:

subject

element
(global definition)

[1 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

subject-placeholder

element
(global definition)

[0 or 1]

Assessment Subject Placeholder

Description Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.

Attribute (1)

uuid

uuid

[1]

Assessment Subject Placeholder Universally Unique Identifier

Description Uniquely identifies a set of assessment subjects that will be identified by a task or an activity that is part of a task.

Elements (5)

description

markup-multiline

[0 or 1]

Assessment Subject Placeholder Description

Description A human-readable description of intent of this assessment subject placeholder.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

source

empty

[1 to ∞]

Assessment Subject Source

Description Assessment subjects will be identified while conducting the referenced activity-instance.

Attribute (1)

task-uuid

uuid

[1]

Task Universally Unique Identifier

Description Uniquely identifies an assessment activity to be performed as part of the event. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for this schedule across revisions of the document.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

subject

element
(global definition)

[0 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the activity was performed against.

Attribute (1)
type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)
description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

responsible-role

element
(global definition)

[0 to ∞]

Responsible Role

Description A reference to one or more roles with responsibility for performing a function relative to the containing object.

Remarks

Identifies the person or organization responsible for performing a specific role related to the task.

Attribute (1)
role-id

NCName

[1]

Responsible Role ID

Description The role that is responsible for the business function.

Elements (4)
prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

party-uuid

uuid

[0 to ∞]

Party Reference

Description References a party defined in metadata.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

reviewed-controls

element
(global definition)

[1]

Reviewed Controls and Control Objectives

Description Identifies the controls being assessed and their control objectives.

Remarks

In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.

When resolving the selection of controls and control objectives, the following processing will occur:

1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.

2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.

The Assessment Results control-selection ignores any control selection in the Assessment Plan and re-selects controls from the baseline identified by the SSP.

The Assessment Results control-objective-selection ignores any control objective selection in the Assessment Plan and re-selects control objectives from the baseline identified by the SSP.

Any additional control objectives defined in the Assessment Plan local-definitions do not need to be re-defined in the Assessment Results local-definitions; however, if they were explicitly referenced with an Assessment Plan control-objective-selection, they need to be selected again in the Assessment Results control-objective-selection.

Elements (6)

description

markup-multiline

[0 or 1]

Control Objective Description

Description A human-readable description of control objectives.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

control-selection

element

[1 to ∞]

Assessed Controls

Description Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.

Remarks

The include-all, specifies all control identified in the baseline are included in the scope if this assessment, as specified by the include-profile statement within the linked SSP.

Any control specified within exclude-controls must first be within a range of explicitly included controls, via include-controls or include-all.

Elements (7)
description

markup-multiline

[0 or 1]

Assessed Controls Description

Description A human-readable description of in-scope controls specified for assessment.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-control

element

[1 to ∞]

Select Control

Description Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.

Remarks

Used to select a control for inclusion by the control's identifier. Specific control statements can be selected by their statement identifier.

Attribute (1)
control-id

NCName

[1]

Control Identifier Reference

Description A reference to a control identifier.

Element (1)
statement-id

NCName

[0 to ∞]

Include Specific Statements

Description Used to constrain the selection to only specificity identified statements.

exclude-control

element

[0 to ∞]

Select Control

Description Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.

Remarks

Used to select a control for exclusion by the control's identifier. Specific control statements can be excluded by their statement identifier.

Attribute (1)
control-id

NCName

[1]

Control Identifier Reference

Description A reference to a control identifier.

Element (1)
statement-id

NCName

[0 to ∞]

Include Specific Statements

Description Used to constrain the selection to only specificity identified statements.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

control-objective-selection

element

[0 to ∞]

Referened Control Objectives

Description Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.

Remarks

The include-all field, specifies all control objectives for any in-scope control. In-scope controls are defined in the control-selection.

Any control objective specified within exclude-controls must first be within a range of explicitly included control objectives, via include-objectives or include-all.

Elements (7)
description

markup-multiline

[0 or 1]

Control Objectives Description

Description A human-readable description of this collection of control objectives.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-objective

empty

[1 to ∞]

Select Objective

Description Used to select a control objective for inclusion/exclusion based on the control objective's identifier.

Remarks

Used to select a control objective for inclusion by the control objective's identifier.

Attribute (1)
objective-id

NCName

[1]

Objective ID

Description Points to an assessment objective.

exclude-objective

empty

[0 to ∞]

Select Objective

Description Used to select a control objective for inclusion/exclusion based on the control objective's identifier.

Remarks

Used to select a control objective for exclusion by the control objective's identifier.

Attribute (1)
objective-id

NCName

[1]

Objective ID

Description Points to an assessment objective.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

attestation

element

[0 to ∞]

Attestation Statements

Description A set of textual statements, typically written by the assessor.

Elements (2)

responsible-party

element
(global definition)

[0 to ∞]

Responsible Party

Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

Constraints (2)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

Attribute (1)
role-id

NCName

[1]

Responsible Role

Description The role that the party is responsible for.

Elements (4)
party-uuid

uuid

[1 to ∞]

Party Reference

Description References a party defined in metadata.

Remarks

Specifies one or more parties that are responsible for performing the associated role.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

part

element
(global definition)

[1 to ∞]

Assessment Part

Description A partition of an assessment plan or results or a child of another part.

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns "https://fedramp.gov", while DoD will use the ns "https://defense.gov" for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

Constraints (3)

allowed value for prop/@name

The value may be locally defined, or the following:

  • method: The assessment method to use. This typically appears on parts with the name "assessment".

has cardinality for prop[@name='method'] the cardinality of prop[@name='method'] is constrained: 1; maximum unbounded.

allowed values for prop[@name='method']/@value

The value must be one of the following:

  • INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
  • EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
  • TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
Attributes (4)
uuid

uuid

[0 or 1]

Part Identifier

Description A unique identifier for a specific part instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same part across minor revisions of the document.

name

NCName

[1]

Part Name

Description A textual label that uniquely identifies the part's semantic type.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • asset: An assessment asset.
  • method: An assessment method.
  • objective: Describes a set of control objectives.
ns

uri

[0 or 1]

Part Namespace

Description A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated text used in a part. This allows the semantics associated with a given name to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

class

NCName

[0 or 1]

Part Class

Description A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

A class can also be used in an OSCAL profile as a means to target an alteration to control content.

Elements (4+)
title

markup-line

[0 or 1]

Part Title

Description A name given to the part, which may be used by a tool for display and navigation.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

part

element
(global definition)

[0 to ∞]

Assessment Part

Description A partition of an assessment plan or results or a child of another part.

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns "https://fedramp.gov", while DoD will use the ns "https://defense.gov" for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

Constraints (3)

allowed value for prop/@name

The value may be locally defined, or the following:

  • method: The assessment method to use. This typically appears on parts with the name "assessment".

has cardinality for prop[@name='method'] the cardinality of prop[@name='method'] is constrained: 1; maximum unbounded.

allowed values for prop[@name='method']/@value

The value must be one of the following:

  • INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
  • EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
  • TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

assessment-log

element

[0 or 1]

Assessment Log

Description A log of all assessment-related actions taken.

Element (1)

entry

element

[1 to ∞]

Assessment Log Entry

Description Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results.

Attribute (1)
uuid

uuid

[1]

Assessment Log Entry Universally Unique Identifier

Description Uniquely identifies an assessment event. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for this schedule across revisions of the document.

Elements (9)
title

markup-line

[0 or 1]

Action Title

Description The title for this event.

description

markup-multiline

[0 or 1]

Action Description

Description A human-readable description of this event.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

Description Identifies the start date and time of an event.

Description Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

logged-by

empty

[0 to ∞]

Logged By

Description Used to indicate who created a log entry in what role.

Attributes (2)
party-uuid

uuid

[1]

Party UUID Reference

Description A pointer to the party who is making the log entry.

role-id

NCName

[0 or 1]

Actor Role

Description A point to the role-id of the role in which the party is making the log entry.

related-task

element
(global definition)

[0 to ∞]

Task Reference

Description Identifies an individual task for which the containing object is a consequence of.

Attribute (1)
task-uuid

uuid

[1]

Task Universally Unique Identifier Reference

Description References a unique task by UUID.

Elements (6)
prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

responsible-party

element
(global definition)

[0 to ∞]

Responsible Party

Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

Remarks

Identifies the person or organization responsible for performing a specific role defined by the activity.

Constraints (2)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

Attribute (1)

role-id

NCName

[1]

Responsible Role

Description The role that the party is responsible for.

Elements (4)

party-uuid

uuid

[1 to ∞]

Party Reference

Description References a party defined in metadata.

Remarks

Specifies one or more parties that are responsible for performing the associated role.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

subject

element
(global definition)

[0 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task was performed against.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

identified-subject

element

[0 or 1]

Identified Subject

Description Used to detail assessment subjects that were identfied by this task.

Attribute (1)

subject-placeholder-uuid

uuid

[1]

Assessment Subject Placeholder Universally Unique Identifier Reference

Description References a unique assessment subject placeholder defined by this task.

Element (1)

subject

element
(global definition)

[1 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task identified, which will be used by another task through a subject-placeholder reference. Such a task will "consume" these subjects.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

observation

element
(global definition)

[0 to ∞]

Observation

Description Describes an individual observation.

Attribute (1)

uuid

uuid

[1]

Observation Universally Unique Identifier

Description Uniquely identifies this observation. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given observation across revisions.

Elements (12)

title

markup-line

[0 or 1]

Observation Title

Description The title for this observation.

description

markup-multiline

[1]

Observation Description

Description A human-readable description of this assessment observation.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

method

string

[1 to ∞]

Observation Method

Description Identifies how the observation was made.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • EXAMINE: An inspection was performed.
  • INTERVIEW: An interview was performed.
  • TEST: A manual or automated test was performed.
  • UNKNOWN: This is only for use when converting historic content to OSCAL, where the conversion process cannot initially identify the appopriate method(s).

type

NCName

[0 to ∞]

Observation Type

Description Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • ssp-statement-issue: A difference between the SSP implementation statement, and actual implementation.
  • control-objective: An observation about the status of a the associated control objective.
  • mitigation: A mitigating factor was identified.
  • finding: An assessment finding. Used for observations made by tools, penetration testing, and other means.
  • historic: An observation from a past assessment, which was converted to OSCAL at a later date.

origin

element
(global definition)

[0 to ∞]

Origin

Description Identifies the source of the finding, such as a tool, interviewed person, or activity.

Remarks

Used to identify the individual and/or tool that gathered the evidence resulting in the observation identification.

Elements (2)
actor

element
(global definition)

[1 to ∞]

Originating Actor

Description The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.

Attributes (3)
type

NCName

[1]

Actor Type

Description The kind of actor.

Constraint (1)

allowed values

The value must be one of the following:

  • tool: A reference to a tool component defined with the assessment assets.
  • assessment-platform: A reference to an assessment-platform defined with the assessment assets.
  • party: A reference to a party defined within the document metadata.
uuid-ref

uuid

[1]

Actor UUID Reference

Description A pointer to the tool or person based on the associated type.

role-id

NCName

[0 or 1]

Actor Role

Description For a party, this can optionally be used to specify the role the actor was performing.

Elements (2)
prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

related-task

element
(global definition)

[0 to ∞]

Task Reference

Description Identifies an individual task for which the containing object is a consequence of.

Attribute (1)
task-uuid

uuid

[1]

Task Universally Unique Identifier Reference

Description References a unique task by UUID.

Elements (6)
prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

responsible-party

element
(global definition)

[0 to ∞]

Responsible Party

Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

Remarks

Identifies the person or organization responsible for performing a specific role defined by the activity.

Constraints (2)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

Attribute (1)

role-id

NCName

[1]

Responsible Role

Description The role that the party is responsible for.

Elements (4)

party-uuid

uuid

[1 to ∞]

Party Reference

Description References a party defined in metadata.

Remarks

Specifies one or more parties that are responsible for performing the associated role.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

subject

element
(global definition)

[0 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task was performed against.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

identified-subject

element

[0 or 1]

Identified Subject

Description Used to detail assessment subjects that were identfied by this task.

Attribute (1)

subject-placeholder-uuid

uuid

[1]

Assessment Subject Placeholder Universally Unique Identifier Reference

Description References a unique assessment subject placeholder defined by this task.

Element (1)

subject

element
(global definition)

[1 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task identified, which will be used by another task through a subject-placeholder reference. Such a task will "consume" these subjects.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

subject

element

[0 to ∞]

Identifies the Subject

Description A pointer to a resource based on its universally unique identifier (UUID). Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.

Remarks

The subject reference UUID could point to an item defined in the SSP, AP, or AR.

Tools should check look for the ID in every file imported directly or indirectly.

Identifies who was interviewed, or what was tested or inspected.

Attributes (2)
uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

type

NCName

[1]

Universally Unique Identifier Reference Type

Description Used to indicate the type of object pointed to by the uuid-ref.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: Component
  • inventory-item: Inventory Item
  • location: Location
  • party: Interview Party
  • user: User
  • resource: Resource or Artifact
Elements (4)
title

markup-line

[0 or 1]

Subject Reference Title

Description The title or name for the referenced subject.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

relevant-evidence

element

[0 to ∞]

Relevant Evidence

Description Links this observation to relevant evidence.

Attribute (1)
href

uri-reference

[0 or 1]

Relevant Evidence Reference

Description >A resolvable URL reference to relevant evidence.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

Elements (4)
description

markup-multiline

[1]

Relevant Evidence Description

Description A human-readable description of this evidence.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

collected

dateTime-with-timezone

[1]

collected field

Description Date/time stamp identifying when the finding information was collected.

expires

dateTime-with-timezone

[0 or 1]

expires field

Description Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

risk

element
(global definition)

[0 to ∞]

Identified Risk

Description An identified risk.

Constraints (2)

allowed values for prop/@name

The value must be one of the following:

  • false-positive: The risk has been confirmed to be a false positive.
  • accepted: The risk has been accepted. No further action will be taken.
  • risk-adjusted: The risk has been adjusted.
  • priority: A numeric value indicating the sequence in which risks should be addressed. (Lower numbers are higher priority)

matches for prop[@name='priority']/@value: the target value must match the lexical form of the 'integer' data type.

Attribute (1)

uuid

uuid

[1]

Risk Universally Unique Identifier

Description Uniquely identifies this risk. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. Once assigned, a UUID should be consistantly used for a given risk across revisions.

Elements (14)

title

markup-line

[1]

Risk Title

Description The title for this risk.

description

markup-multiline

[1]

Risk Description

Description A human-readable summary of what was identified regarding the risk.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

statement

markup-multiline

[1]

Risk Statement

Description An summary of impact for how the risk affects the system.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

status

NCName

[1]

Status

Description Describes the status of the associated risk.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • open: The risk has been identified.
  • investigating: The identified risk is being investigated. (Open risk)
  • remediating: Remediation activities are underway, but are not yet complete. (Open risk)
  • deviation-requested: A risk deviation, such as false positive, risk reduction, or operational requirement has been submitted for approval. (Open risk)
  • deviation-approved: A risk deviation, such as false positive, risk reduction, or operational requirement has been approved. (Open risk)
  • closed: The risk has been resolved.

origin

element
(global definition)

[0 to ∞]

Origin

Description Identifies the source of the finding, such as a tool, interviewed person, or activity.

Remarks

Used to identify the individual and/or tool that identified this risk.

Elements (2)
actor

element
(global definition)

[1 to ∞]

Originating Actor

Description The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.

Attributes (3)
type

NCName

[1]

Actor Type

Description The kind of actor.

Constraint (1)

allowed values

The value must be one of the following:

  • tool: A reference to a tool component defined with the assessment assets.
  • assessment-platform: A reference to an assessment-platform defined with the assessment assets.
  • party: A reference to a party defined within the document metadata.
uuid-ref

uuid

[1]

Actor UUID Reference

Description A pointer to the tool or person based on the associated type.

role-id

NCName

[0 or 1]

Actor Role

Description For a party, this can optionally be used to specify the role the actor was performing.

Elements (2)
prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

related-task

element
(global definition)

[0 to ∞]

Task Reference

Description Identifies an individual task for which the containing object is a consequence of.

Attribute (1)
task-uuid

uuid

[1]

Task Universally Unique Identifier Reference

Description References a unique task by UUID.

Elements (6)
prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

responsible-party

element
(global definition)

[0 to ∞]

Responsible Party

Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

Remarks

Identifies the person or organization responsible for performing a specific role defined by the activity.

Constraints (2)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

Attribute (1)

role-id

NCName

[1]

Responsible Role

Description The role that the party is responsible for.

Elements (4)

party-uuid

uuid

[1 to ∞]

Party Reference

Description References a party defined in metadata.

Remarks

Specifies one or more parties that are responsible for performing the associated role.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

subject

element
(global definition)

[0 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task was performed against.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

identified-subject

element

[0 or 1]

Identified Subject

Description Used to detail assessment subjects that were identfied by this task.

Attribute (1)

subject-placeholder-uuid

uuid

[1]

Assessment Subject Placeholder Universally Unique Identifier Reference

Description References a unique assessment subject placeholder defined by this task.

Element (1)

subject

element
(global definition)

[1 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task identified, which will be used by another task through a subject-placeholder reference. Such a task will "consume" these subjects.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

threat-id

uri

[0 to ∞]

Threat ID

Description A pointer, by ID, to an externally-defined threat.

Attributes (2)
system

uri

[1]

Threat Type Identification System

Description Specifies the source of the threat information.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • https://fedramp.gov: The value conforms to FedRAMP definitions.
href

uri-reference

[0 or 1]

Threat Information Resource Reference

Description An optional location for the threat data, from which this ID originates.

characterization

element
(global definition)

[0 to ∞]

Characterization

Description A collection of descriptive data about the containing object from a specific origin.

Elements (4)
prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

origin

element
(global definition)

[1]

Origin

Description Identifies the source of the finding, such as a tool, interviewed person, or activity.

Remarks

metadata about the specific actor that generated this descriptive data.

Elements (2)
actor

element
(global definition)

[1 to ∞]

Originating Actor

Description The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.

Attributes (3)

type

NCName

[1]

Actor Type

Description The kind of actor.

Constraint (1)

allowed values

The value must be one of the following:

  • tool: A reference to a tool component defined with the assessment assets.
  • assessment-platform: A reference to an assessment-platform defined with the assessment assets.
  • party: A reference to a party defined within the document metadata.

uuid-ref

uuid

[1]

Actor UUID Reference

Description A pointer to the tool or person based on the associated type.

role-id

NCName

[0 or 1]

Actor Role

Description For a party, this can optionally be used to specify the role the actor was performing.

Elements (2)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

related-task

element
(global definition)

[0 to ∞]

Task Reference

Description Identifies an individual task for which the containing object is a consequence of.

Attribute (1)

task-uuid

uuid

[1]

Task Universally Unique Identifier Reference

Description References a unique task by UUID.

Elements (6)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

responsible-party

element
(global definition)

[0 to ∞]

Responsible Party

Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

Remarks

Identifies the person or organization responsible for performing a specific role defined by the activity.

Constraints (2)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

Attribute (1)

role-id

NCName

[1]

Responsible Role

Description The role that the party is responsible for.

Elements (4)

party-uuid

uuid

[1 to ∞]

Party Reference

Description References a party defined in metadata.

Remarks

Specifies one or more parties that are responsible for performing the associated role.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

subject

element
(global definition)

[0 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task was performed against.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

identified-subject

element

[0 or 1]

Identified Subject

Description Used to detail assessment subjects that were identfied by this task.

Attribute (1)

subject-placeholder-uuid

uuid

[1]

Assessment Subject Placeholder Universally Unique Identifier Reference

Description References a unique assessment subject placeholder defined by this task.

Element (1)

subject

element
(global definition)

[1 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task identified, which will be used by another task through a subject-placeholder reference. Such a task will "consume" these subjects.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

facet

element

[1 to ∞]

Facet

Description An individual characteristic that is part of a larger set produced by the same actor.

Constraints (30)

allowed value for prop/@name

The value must be one of the following:

  • state: Indicates if the facet is 'initial' as first identified, or 'adjusted' indicating that the value has be changed after some adjustments have been made (e.g., to identify residual risk).

allowed values for prop[@name='risk-state']/@value

The value may be locally defined, or one of the following:

  • initial: As first identified.
  • adjusted: Indicates that residual risk remains after some adjustments have been made.

allowed values for (.)[@system='http://csrc.nist.gov/oscal']/@name

The value may be locally defined, or one of the following:

  • likelihood: General likelihood rating.
  • impact: General impact rating.
  • risk: General risk rating.
  • severity: General severity rating.

allowed values for (.)[@system='http://fedramp.gov']/@name

The value may be locally defined, or one of the following:

  • likelihood: Likelihood as defined by FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states.
  • impact: Impact as defined by FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states.
  • risk: Risk as calculated according to FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states.

allowed value for (.)[@system='http://cve.mitre.org']/@name

The value must be one of the following:

  • cve-id: An identifier managed by the CVE program (see https://cve.mitre.org/).

allowed values for (.)[@system='http://www.first.org/cvss/v2.0']/@name

The value must be one of the following:

  • access-vector: Base: Access Vector
  • access-complexity: Base: Access Complexity
  • authentication: Base: Authentication
  • confidentiality-impact: Base: Confidentiality Impact
  • integrity-impact: Base: Integrity Impact
  • availability-impact: Base: Availability Impact
  • exploitability: Temporal: Exploitability
  • remediation-level: Temporal: Remediation Level
  • report-confidence: Temporal: Report Confidence
  • collateral-damage-potential: Environmental: Collateral Damage Potential
  • target-distribution: Environmental: Target Distribution
  • confidentiality-requirement: Environmental: Confidentiality Requirement
  • integrity-requirement: Environmental: Integrity Requirement
  • availability-requirement: Environmental: Availability Requirement

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='access-vector']/@value

The value must be one of the following:

  • local: Local
  • adjacent-network: Network Adjacent
  • network: Network

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='access-complexity']/@value

The value must be one of the following:

  • high: High
  • medium: Medium
  • low: Low

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='authentication']/@value

The value must be one of the following:

  • multiple: Multiple
  • single: Single
  • none: None

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name=('confidentiality-impact', 'integrity-impact', 'availability-impact')]/@value

The value must be one of the following:

  • none: None
  • partial: Partial
  • complete: Complete

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='exploitability']/@value

The value must be one of the following:

  • unproven: Unproven
  • proof-of-concept: Proof-of-Concept
  • functional: Functional
  • high: High
  • not-defined: Not Defined

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='remediation-level']/@value

The value must be one of the following:

  • official-fix: Official Fix
  • temporary-fix: Temporary Fix
  • workaround: Workaround
  • unavailable: Unavailable
  • not-defined: Not Defined

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='report-confidence']/@value

The value must be one of the following:

  • unconfirmed: Unconfirmed
  • uncorroborated: Uncorroborated
  • confirmed: Confirmed
  • not-defined: Not Defined

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='collateral-damage-potential']/@value

The value must be one of the following:

  • none: None
  • low: Low (light loss)
  • low-medium: Low Medium
  • medium-high: Medium High
  • high: High (catastrophic loss)
  • not-defined: Not Defined

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name=('target-distribution', 'confidentiality-requirement', 'integrity-requirement', 'availability-requirement')]/@value

The value must be one of the following:

  • none
  • low
  • medium
  • high
  • not-defined

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1')]/@name

The value must be one of the following:

  • attack-vector: Base: Attack Vector
  • access-complexity: Base: Attack Complexity
  • privileges-required: Base: Privileges Required
  • user-interaction: Base: User Interaction
  • scope: Base: Scope
  • confidentiality-impact: Base: Confidentiality Impact
  • integrity-impact: Base: Integrity Impact
  • availability-impact: Base: Availability Impact
  • exploit-code-maturity: Temporal: Exploit Code Maturity
  • remediation-level: Temporal: Remediation Level
  • report-confidence: Temporal: Report Confidence
  • modified-attack-vector: Environmental: Modified Attack Vector
  • modified-attack-complexity: Environmental: Modified Attack Complexity
  • modified-privileges-required: Environmental: Modified Privileges Required
  • modified-user-interaction: Environmental: Modified User Interaction
  • modified-scope: Environmental: Modified Scope
  • modified-confidentiality: Environmental: Modified Confidentiality
  • modified-integrity: Environmental: Modified Integrity
  • modified-availability: Environmental: Modified Availability
  • confidentiality-requirement: Environmental: Confidentiality Requirement Modifier
  • integrity-requirement: Environmental: Integrity Requirement Modifier
  • availability-requirement: Environmental: Availability Requirement Modifier

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='access-vector']/@value

The value must be one of the following:

  • network: Network
  • adjacent: Adjacent
  • local: Local
  • physical: Physical

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='access-complexity']/@value

The value must be one of the following:

  • high: High
  • low: Low

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name=('privileges-required', 'confidentiality-impact', 'integrity-impact', 'availability-impact')]/@value

The value must be one of the following:

  • none: None
  • low: Low
  • high: High

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='user-interaction']/@value

The value must be one of the following:

  • none: None
  • required: Required

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='scope']/@value

The value must be one of the following:

  • unchanged: Unchanged
  • changed: Changed

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='exploit-code-maturity']/@value

The value must be one of the following:

  • not-defined: Not Defined
  • unproven: Unproven
  • proof-of-concept: Proof-of-Concept
  • functional: Functional
  • high: High

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='remediation-level']/@value

The value must be one of the following:

  • not-defined: Not Defined
  • official-fix: Official Fix
  • temporary-fix: Temporary Fix
  • workaround: Workaround
  • unavailable: Unavailable

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='report-confidence']/@value

The value must be one of the following:

  • not-defined: Not Defined
  • unknown: Unknown
  • reasonable: Reasonable
  • confirmed: Confirmed

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name=('confidentiality-requirement', 'integrity-requirement', 'availability-requirement')]/@value

The value must be one of the following:

  • not-defined: Not Defined
  • low: Low
  • medium: Medium
  • high: High

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-attack-vector']/@value

The value must be one of the following:

  • not-defined: Not Defined
  • network: Network
  • adjacent: Adjacent
  • local: Local
  • physical: Physical

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-attack-complexity']/@value

The value must be one of the following:

  • not-defined: Not Defined
  • high: High
  • low: Low

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name=('modified-privileges-required', 'modified-confidentiality', 'modified-integrity', 'modified-availability')]/@value

The value must be one of the following:

  • not-defined: Not Defined
  • none: None
  • low: Low
  • high: High

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-user-interaction']/@value

The value must be one of the following:

  • not-defined: Not Defined
  • none: None
  • required: Required

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-scope']/@value

The value must be one of the following:

  • not-defined: Not Defined
  • unchanged: Unchanged
  • changed: Changed
Attributes (3)
name

NCName

[1]

Facet Name

Description The name of the risk metric within the specified system.

system

uri

[1]

Naming System

Description Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • http://fedramp.gov
  • http://csrc.nist.gov/ns/oscal
  • http://csrc.nist.gov/ns/oscal/unknown: The facet is from an unknown taxonomy. The meaning of the name is tool or organization specific.
  • http://cve.mitre.org
  • http://www.first.org/cvss/v2.0
  • http://www.first.org/cvss/v3.0
  • http://www.first.org/cvss/v3.1
value

string

[1]

Facet Value

Description Indicates the value of the facet.

Elements (3)
prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

mitigating-factor

element

[0 to ∞]

Mitigating Factor

Description Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.

Attributes (2)
uuid

uuid

[1]

Mitigating Factor Universally Unique Identifier

Description Uniquely identifies this mitigating factor. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. Once assigned, a UUID should be consistantly used for a given mitigating factor across revisions.

implementation-uuid

uuid

[0 or 1]

Implementation UUID

Description Points to an implementation statement in the SSP.

Elements (4)
description

markup-multiline

[1]

Mitigating Factor Description

Description A human-readable description of this mitigating factor.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

subject

element

[0 to ∞]

Identifies the Subject

Description A pointer to a resource based on its universally unique identifier (UUID). Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.

Remarks

The subject reference UUID could point to an item defined in the SSP, AP, or AR.

Tools should check look for the ID in every file imported directly or indirectly.

Links identifiable elements of the system to this mitigating factor, such as an inventory-item or component.

Attributes (2)
uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

type

NCName

[1]

Universally Unique Identifier Reference Type

Description Used to indicate the type of object pointed to by the uuid-ref.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: Component
  • inventory-item: Inventory Item
  • location: Location
  • party: Interview Party
  • user: User
  • resource: Resource or Artifact
Elements (4)
title

markup-line

[0 or 1]

Subject Reference Title

Description The title or name for the referenced subject.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

deadline

dateTime-with-timezone

[0 or 1]

Risk Resolution Deadline

Description The date/time by which the risk must be resolved.

response

element

[0 to ∞]

Risk Response

Description Describes either recommended or an actual plan for addressing the risk.

Constraints (2)

allowed value for prop/@name

The value may be locally defined, or the following:

  • type

allowed values for prop[@name='type']/@value

The value may be locally defined, or one of the following:

  • avoid: The risk will be eliminated.
  • mitigate: The risk will be reduced.
  • transfer: The risk will be transferred to another organization or entity.
  • accept: The risk will continue to exist without further efforts to address it. (Sometimes referred to as "Operationally required")
  • share: The risk will be partially transferred to another organization or entity.
  • contingency: Plans will be made to address the risk impact if the risk occurs. (This is a form of mitigation.)
  • none: No response, such as when the identified risk is found to be a false positive.
Attributes (2)
uuid

uuid

[1]

Remediation Universally Unique Identifier

Description Uniquely identifies this remediation. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given remediation across revisions.

lifecycle

NCName

[1]

Remediation Intent

Description Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • recommendation: Recommended Remediation
  • planned: The actions intended to resolve the risk.
  • completed: This remediation activities were performed to address the risk.
Elements (8)
title

markup-line

[1]

Response Title

Description The title for this response activity.

description

markup-multiline

[1]

Response Description

Description A human-readable description of this response plan.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

origin

element
(global definition)

[0 to ∞]

Origin

Description Identifies the source of the finding, such as a tool, interviewed person, or activity.

Remarks

Used to identify the individual and/or tool that generated this recommended or planned response.

Elements (2)
actor

element
(global definition)

[1 to ∞]

Originating Actor

Description The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.

Attributes (3)

type

NCName

[1]

Actor Type

Description The kind of actor.

Constraint (1)

allowed values

The value must be one of the following:

  • tool: A reference to a tool component defined with the assessment assets.
  • assessment-platform: A reference to an assessment-platform defined with the assessment assets.
  • party: A reference to a party defined within the document metadata.

uuid-ref

uuid

[1]

Actor UUID Reference

Description A pointer to the tool or person based on the associated type.

role-id

NCName

[0 or 1]

Actor Role

Description For a party, this can optionally be used to specify the role the actor was performing.

Elements (2)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

related-task

element
(global definition)

[0 to ∞]

Task Reference

Description Identifies an individual task for which the containing object is a consequence of.

Attribute (1)

task-uuid

uuid

[1]

Task Universally Unique Identifier Reference

Description References a unique task by UUID.

Elements (6)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

responsible-party

element
(global definition)

[0 to ∞]

Responsible Party

Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

Remarks

Identifies the person or organization responsible for performing a specific role defined by the activity.

Constraints (2)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

Attribute (1)

role-id

NCName

[1]

Responsible Role

Description The role that the party is responsible for.

Elements (4)

party-uuid

uuid

[1 to ∞]

Party Reference

Description References a party defined in metadata.

Remarks

Specifies one or more parties that are responsible for performing the associated role.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

subject

element
(global definition)

[0 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task was performed against.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

identified-subject

element

[0 or 1]

Identified Subject

Description Used to detail assessment subjects that were identfied by this task.

Attribute (1)

subject-placeholder-uuid

uuid

[1]

Assessment Subject Placeholder Universally Unique Identifier Reference

Description References a unique assessment subject placeholder defined by this task.

Element (1)

subject

element
(global definition)

[1 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task identified, which will be used by another task through a subject-placeholder reference. Such a task will "consume" these subjects.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

required-asset

element

[0 to ∞]

Required Asset

Description Identifies an asset required to achieve remediation.

Constraint (1)

allowed values for origin/@type

The value must be one of the following:

  • party: The UUID of the person or organization who made the recommendation
  • tool: The UUID of the tool that made the recommendation
Attribute (1)
uuid

uuid

[1]

Required Universally Unique Identifier

Description Uniquely identifies this required asset. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given required asset across revisions.

Elements (6)
subject

element

[0 to ∞]

Identifies the Subject

Description A pointer to a resource based on its universally unique identifier (UUID). Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.

Remarks

The subject reference UUID could point to an item defined in the SSP, AP, or AR.

Tools should check look for the ID in every file imported directly or indirectly.

Identifies an asset associated with this requirement, such as a party, system component, or inventory-item.

Attributes (2)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

type

NCName

[1]

Universally Unique Identifier Reference Type

Description Used to indicate the type of object pointed to by the uuid-ref.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: Component
  • inventory-item: Inventory Item
  • location: Location
  • party: Interview Party
  • user: User
  • resource: Resource or Artifact
Elements (4)

title

markup-line

[0 or 1]

Subject Reference Title

Description The title or name for the referenced subject.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

title

markup-line

[0 or 1]

Title for Required Asset

Description The title for this required asset.

description

markup-multiline

[1]

Description of Required Asset

Description A human-readable description of this required asset.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

task

element
(global definition)

[0 to ∞]

Task

Description Represents a scheduled event or milestone, which may be associated with a series of assessment actions.

Attributes (2)
uuid

uuid

[1]

Task Universally Unique Identifier

Description Uniquely identifies this assessment task.

type

NCName

[1]

Task Type

Description The type of task.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • milestone: The task represents a planned milestone.
  • action: The task represents a specific assessment action to be performed.
Elements (11)
title

markup-line

[1]

Task Title

Description The title for this task.

description

markup-multiline

[0 or 1]

Task Description

Description A human-readable description of this task.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

timing

element

[0 or 1]

Event Timing

Description The timing under which the task is intended to occur.

Elements (3)

A choice:

on-date

empty

[1]

On Date Condition

Description The task is intended to occur on the specified date.

Attribute (1)

date

dateTime-with-timezone

[1]

On Date Condition

Description The task must occur on the specified date.

within-date-range

empty

[1]

On Date Range Condition

Description The task is intended to occur within the specified date range.

Attributes (2)

start

dateTime-with-timezone

[1]

Start Date Condition

Description The task must occur on or after the specified date.

end

dateTime-with-timezone

[1]

End Date Condition

Description The task must occur on or before the specified date.

at-frequency

empty

[1]

Frequency Condition

Description The task is intended to occur at the specified frequency.

Attributes (2)

period

positiveInteger

[1]

Period

Description The task must occur after the specified period has elapsed.

unit

string

[1]

Time Unit

Description The unit of time for the period.

Constraint (1)

allowed values

The value must be one of the following:

  • seconds: The period is specified in seconds.
  • minutes: The period is specified in minutes.
  • hours: The period is specified in hours.
  • days: The period is specified in days.
  • months: The period is specified in calendar months.
  • years: The period is specified in calendar years.
dependency

element

[0 to ∞]

Task Dependency

Description Used to indicate that a task is dependant on another task.

Attribute (1)

task-uuid

uuid

[1]

Task Universally Unique Identifier Reference

Description References a unique task by UUID.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

task

element
(global definition)

[0 to ∞]

Task

Description Represents a scheduled event or milestone, which may be associated with a series of assessment actions.

associated-activity

element

[0 to ∞]

Associated Activity

Description Identifies an individual activity to be performed as part of a task.

Attribute (1)

activity-uuid

uuid

[1]

Activity Universally Unique Identifier Reference

Description References an activity defined in the list of activities.

Elements (6)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

responsible-role

element
(global definition)

[0 to ∞]

Responsible Role

Description A reference to one or more roles with responsibility for performing a function relative to the containing object.

Remarks

Identifies the person or organization responsible for performing a specific role defined by the activity.

Attribute (1)

role-id

NCName

[1]

Responsible Role ID

Description The role that is responsible for the business function.

Elements (4)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

party-uuid

uuid

[0 to ∞]

Party Reference

Description References a party defined in metadata.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

A choice:

subject

element
(global definition)

[1 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

subject-placeholder

element
(global definition)

[0 or 1]

Assessment Subject Placeholder

Description Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.

Attribute (1)

uuid

uuid

[1]

Assessment Subject Placeholder Universally Unique Identifier

Description Uniquely identifies a set of assessment subjects that will be identified by a task or an activity that is part of a task.

Elements (5)

description

markup-multiline

[0 or 1]

Assessment Subject Placeholder Description

Description A human-readable description of intent of this assessment subject placeholder.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

source

empty

[1 to ∞]

Assessment Subject Source

Description Assessment subjects will be identified while conducting the referenced activity-instance.

Attribute (1)

task-uuid

uuid

[1]

Task Universally Unique Identifier

Description Uniquely identifies an assessment activity to be performed as part of the event. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for this schedule across revisions of the document.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

subject

element
(global definition)

[0 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the activity was performed against.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

responsible-role

element
(global definition)

[0 to ∞]

Responsible Role

Description A reference to one or more roles with responsibility for performing a function relative to the containing object.

Remarks

Identifies the person or organization responsible for performing a specific role related to the task.

Attribute (1)

role-id

NCName

[1]

Responsible Role ID

Description The role that is responsible for the business function.

Elements (4)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

party-uuid

uuid

[0 to ∞]

Party Reference

Description References a party defined in metadata.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

risk-log

element

[0 or 1]

Risk Log

Description A log of all risk-related tasks taken.

Element (1)
entry

element

[1 to ∞]

Risk Log Entry

Description Identifies the result of a task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results.

Constraints (2)

allowed value for prop/@name

The value may be locally defined, or the following:

  • type: The type of remediation tracking entry. Can be multi-valued.

allowed values for prop/[@name='type']/@value

The value may be locally defined, or one of the following:

  • vendor-check-in: Contacted vendor to determine the status of a pending fix to a known vulnerability.
  • status-update: Information related to the current state of response to this risk.
  • milestone-complete: A significant step in the response plan has been achieved.
  • mitigation: An activity was completed that reduces the likelihood or impact of this risk.
  • remediated: An activitiy was completed that eliminates the likelihood or impact of this risk.
  • closed: The risk is no longer applicable to the system.
  • dr-submission: A deviation request was made to the authorizing official.
  • dr-updated: A previously submitted deviation request has been modified.
  • dr-approved: The authorizing official approved the deviation.
  • dr-rejected: The authorizing official rejected the deviation.
Attribute (1)
uuid

uuid

[1]

Risk Log Entry Universally Unique Identifier

Description Uniquely identifies an assessment event. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for this schedule across revisions of the document.

Elements (10)
title

markup-line

[0 or 1]

Action Title

Description The title for this event.

description

markup-multiline

[0 or 1]

Action Description

Description A human-readable description of this event.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

Description Identifies the start date and time of an event.

Description Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

logged-by

empty

[0 to ∞]

Logged By

Description Used to indicate who created a log entry in what role.

Attributes (2)

party-uuid

uuid

[1]

Party UUID Reference

Description A pointer to the party who is making the log entry.

role-id

NCName

[0 or 1]

Actor Role

Description A point to the role-id of the role in which the party is making the log entry.

status-change

NCName

[0 or 1]

Risk Status

Description Describes the status of the associated risk.

Remarks

Identifies a change in risk status made resulting from the task described by this risk log entry. This allows the risk's status history to be captured as a sequence of risk log entries.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • open: The risk has been identified.
  • investigating: The identified risk is being investigated. (Open risk)
  • remediating: Remediation activities are underway, but are not yet complete. (Open risk)
  • deviation-requested: A risk deviation, such as false positive, risk reduction, or operational requirement has been submitted for approval. (Open risk)
  • deviation-approved: A risk deviation, such as false positive, risk reduction, or operational requirement has been approved. (Open risk)
  • closed: The risk has been resolved.
related-response

element

[0 to ∞]

Action Reference

Description Identifies an individual risk response that this log entry is for.

Attribute (1)

response-uuid

uuid

[1]

Response Universally Unique Identifier Reference

Description References a unique risk response by UUID.

Elements (4)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

related-task

element
(global definition)

[0 to ∞]

Task Reference

Description Identifies an individual task for which the containing object is a consequence of.

Remarks

This is used to identify the task(s) that this log entry was generated for.

Attribute (1)

task-uuid

uuid

[1]

Task Universally Unique Identifier Reference

Description References a unique task by UUID.

Elements (6)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

responsible-party

element
(global definition)

[0 to ∞]

Responsible Party

Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

Remarks

Identifies the person or organization responsible for performing a specific role defined by the activity.

Constraints (2)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

Attribute (1)

role-id

NCName

[1]

Responsible Role

Description The role that the party is responsible for.

Elements (4)

party-uuid

uuid

[1 to ∞]

Party Reference

Description References a party defined in metadata.

Remarks

Specifies one or more parties that are responsible for performing the associated role.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

subject

element
(global definition)

[0 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task was performed against.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

identified-subject

element

[0 or 1]

Identified Subject

Description Used to detail assessment subjects that were identfied by this task.

Attribute (1)

subject-placeholder-uuid

uuid

[1]

Assessment Subject Placeholder Universally Unique Identifier Reference

Description References a unique assessment subject placeholder defined by this task.

Element (1)

subject

element
(global definition)

[1 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task identified, which will be used by another task through a subject-placeholder reference. Such a task will "consume" these subjects.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

related-observation

empty

[0 to ∞]

Related Observation

Description Relates the finding to a set of referenced observations that were used to determine the finding.

Attribute (1)
observation-uuid

uuid

[1]

Observation Universally Unique Identifier Reference

Description References an observation defined in the list of observations.

finding

element
(global definition)

[1 to ∞]

Finding

Description Describes an individual finding.

Attribute (1)

uuid

uuid

[1]

Finding Universally Unique Identifier

Description Uniquely identifies this finding. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given finding across revisions.

Elements (10)

title

markup-line

[1]

Finding Title

Description The title for this finding.

description

markup-multiline

[1]

Finding Description

Description A human-readable description of this finding.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

origin

element
(global definition)

[0 to ∞]

Origin

Description Identifies the source of the finding, such as a tool, interviewed person, or activity.

Remarks

Used to identify the individual and/or tool generated this finding.

Elements (2)
actor

element
(global definition)

[1 to ∞]

Originating Actor

Description The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.

Attributes (3)
type

NCName

[1]

Actor Type

Description The kind of actor.

Constraint (1)

allowed values

The value must be one of the following:

  • tool: A reference to a tool component defined with the assessment assets.
  • assessment-platform: A reference to an assessment-platform defined with the assessment assets.
  • party: A reference to a party defined within the document metadata.
uuid-ref

uuid

[1]

Actor UUID Reference

Description A pointer to the tool or person based on the associated type.

role-id

NCName

[0 or 1]

Actor Role

Description For a party, this can optionally be used to specify the role the actor was performing.

Elements (2)
prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

related-task

element
(global definition)

[0 to ∞]

Task Reference

Description Identifies an individual task for which the containing object is a consequence of.

Attribute (1)
task-uuid

uuid

[1]

Task Universally Unique Identifier Reference

Description References a unique task by UUID.

Elements (6)
prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

responsible-party

element
(global definition)

[0 to ∞]

Responsible Party

Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

Remarks

Identifies the person or organization responsible for performing a specific role defined by the activity.

Constraints (2)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

Attribute (1)

role-id

NCName

[1]

Responsible Role

Description The role that the party is responsible for.

Elements (4)

party-uuid

uuid

[1 to ∞]

Party Reference

Description References a party defined in metadata.

Remarks

Specifies one or more parties that are responsible for performing the associated role.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

subject

element
(global definition)

[0 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task was performed against.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

identified-subject

element

[0 or 1]

Identified Subject

Description Used to detail assessment subjects that were identfied by this task.

Attribute (1)

subject-placeholder-uuid

uuid

[1]

Assessment Subject Placeholder Universally Unique Identifier Reference

Description References a unique assessment subject placeholder defined by this task.

Element (1)

subject

element
(global definition)

[1 to ∞]

Subject of Assessment

Description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task identified, which will be used by another task through a subject-placeholder reference. Such a task will "consume" these subjects.

Attribute (1)

type

NCName

[1]

Subject Type

Description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (7)

description

markup-multiline

[0 or 1]

Include Subjects Description

Description A human-readable description of the collection of subjects being included in this assessment.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

A choice:

include-all

empty

[1]

All

Description A key word to indicate all.

include-subject

element
(global definition)

[1 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

exclude-subject

element
(global definition)

[0 to ∞]

Select Assessment Subject

Description Identifies a set of assessment subjects to include/exclude by UUID.

Attribute (1)

uuid-ref

uuid

[1]

UUID Reference

Description A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

Elements (3)

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)

name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)

href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)

text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

target

element
(global definition)

[0 or 1]

Objective Status

Description Captures an assessor's conclusions regarding the degree to which an objective is satisfied.

Remarks

While use of target is optional, it is recommended to use this object to identify the target of the finding providing traceability.

Attributes (2)
type

string

[1]

Finding Target Type

Description Identifies the type of the target.

Remarks

The target will always be a reference to: 1) a control statement, or 2) a control objective. In the former case, there is always a single top-level statement within a control. Thus, if the entire control is targeted, this statement identifier can be used.

Constraint (1)

allowed values

The value must be one of the following:

  • statement-id: A reference to a control statement identifier within a control.
  • objective-id: A reference to a control objective identifier within a control.
id-ref

NCName

[1]

Finding Target Identifier Reference

Description Identifies the specific target qualified by the type.

Elements (7)
title

markup-line

[0 or 1]

Objective Status Title

Description The title for this objective status.

description

markup-multiline

[0 or 1]

Objective Status Description

Description A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

element
(global definition)

[0 to ∞]

Link

Description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

Attributes (3)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

NCName

[0 or 1]

Relation

Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference
media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Element (1)
text

markup-line

[0 or 1]

Link Text

Description A textual label to associate with the link, which may be used for presentation in a tool.

status

NCName

[1]

Objective Status

Description A brief indication as to whether the objective is satisfied or not within a given system.

Constraint (1)

allowed values

The value must be one of the following:

  • satisfied: The objective has been completely satisfied.
  • not-satisfied: The objective has not been completely satisfied, but may be partially satisfied.
implementation-status

element
(global definition)

[0 or 1]

Implementation Status

Description Indicates the degree to which the a given control is implemented.

Remarks

The implementation-status is used to qualify the status value to indicate the degree to which the control was found to be implemented.

Attribute (1)
state

NCName

[1]

Implementation State

Description Identifies the implementation status of the control or control objective.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • implemented: The control is fully implemented.
  • partial: The control is partially implemented.
  • planned: There is a plan for implementing the control as explained in the remarks.
  • alternative: There is an alternative implementation for this control as explained in the remarks.
  • not-applicable: This control does not apply to this system as justified in the remarks.
Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

implementation-statement-uuid

uuid

[0 or 1]

Implementation Statement UUID

Description Identifies the implementation statement in the SSP to which this finding is related.

related-observation

empty

[0 to ∞]

Related Observation

Description Relates the finding to a set of referenced observations that were used to determine the finding.

Attribute (1)
observation-uuid

uuid

[1]

Observation Universally Unique Identifier Reference

Description References an observation defined in the list of observations.

associated-risk

empty

[0 to ∞]

Associated Risk

Description Relates the finding to a set of referenced risks that were used to determine the finding.

Attribute (1)
risk-uuid

uuid

[1]

Risk Universally Unique Identifier Reference

Description References an risk defined in the list of risks.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

back-matter

element
(global definition)

[0 or 1]

Back matter

Description A collection of resources, which may be included directly or by reference.

Remarks

Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference identifier. Other specialized link "rel" values also use this pattern when indicated in that context of use.

Constraint (1)

index for resource an index index-back-matter-resource shall list values returned by targets resource using keys constructed of key field(s) @uuid

Element (1)

resource

element

[0 to ∞]

Resource

Description A resource associated with content in the containing document. A resource may be directly included in the document base64 encoded or may point to one or more equivalent internet resources.

Remarks

A resource can be used in two ways. 1) it may point to an specific retrievable network resource using a rlink, or 2) it may be included as an attachment using a base64. A resource may contain multiple rlink and base64 entries that represent alternative download locations (rlink) and attachments (base64) for the same resource. Both rlink and base64 allow for a media-type to be specified, which is used to distiguish between different representations of the same resource (e.g., Microsoft Word, PDF). When multiple rlink and base64 items are included for a given resource, all items must contain equivalent information. This allows the document consumer to choose a preferred item to process based on a the selected item's media-type. This is extremely important when the items represent OSCAL content that is represented in alternate formats (i.e., XML, JSON, YAML), allowing the same OSCAL data to be processed from any of the available formats indicated by the items.

When a resource includes a citation, then the title and citation properties must both be included.

Constraints (7)

allowed values for prop/@name

The value must be one of the following:

  • type: Identifies the type of resource represented.
  • version: For resources representing a published document, this represents the version number of that document.
  • published: For resources representing a published document, this represents the publication date of that document.

matches for prop[(not(exists(@ns)) or @ns='http://csrc.nist.gov/ns/oscal') and @name='published']/@value: the target value must match the lexical form of the 'dateTime' data type.

allowed values for prop[@name='type']/@value

The value may be locally defined, or one of the following:

  • logo: Indicates the resource is an organization's logo.
  • image: Indicates the resource represents an image.
  • screen-shot: Indicates the resource represents an image of screen content.
  • law: Indicates the resource represents an applicable law.
  • regulation: Indicates the resource represents an applicable regulation.
  • standard: Indicates the resource represents an applicable standard.
  • external-guidance: Indicates the resource represents applicable guidance.
  • acronyms: Indicates the resource provides a list of relevant acronyms.
  • citation: Indicates the resource cites relevant information.
  • policy: Indicates the resource is a policy.
  • procedure: Indicates the resource is a procedure.
  • system-guide: Indicates the resource is guidance document related to the subject system of an SSP.
  • users-guide: Indicates the resource is guidance document a user's guide or administrator's guide.
  • administrators-guide: Indicates the resource is guidance document a administrator's guide.
  • rules-of-behavior: Indicates the resource represents rules of behavior content.
  • plan: Indicates the resource represents a plan.
  • artifact: Indicates the resource represents an artifact, such as may be reviewed by an assessor.
  • evidence: Indicates the resource represents evidence, such as to support an assessment findiing.
  • tool-output: Indicates the resource represents output from a tool.
  • raw-data: Indicates the resource represents machine data, which may require a tool or analysis for interpretation or presentation.
  • interview-notes: Indicates the resource represents notes from an interview, such as may be collected during an assessment.
  • questionnaire: Indicates the resource is a set of questions, possibly with responses.
  • report: Indicates the resource is a report.
  • agreement: Indicates the resource is a formal agreement between two or more parties.

has cardinality for rlink|base64 the cardinality of rlink|base64 is constrained: 1; maximum unbounded.

is unique for rlink: any target value must be unique (i.e., occur only once)

is unique for base64: any target value must be unique (i.e., occur only once)

has cardinality for title the cardinality of title is constrained: 1; maximum unbounded.

Attribute (1)

uuid

uuid

[1]

Resource Universally Unique Identifier

Description A globally unique identifier that can be used to reference this defined resource elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.

Elements (8)

title

markup-line

[0 or 1]

Resource Title

Description A name given to the resource, which may be used by a tool for display and navigation.

description

markup-multiline

[0 or 1]

Resource Description

Description A short summary of the resource used to indicate the purpose of the resource.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

document-id

string

[0 to ∞]

Document Identifier

Description A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element.

Remarks

This element is optional, but it will always have a valid value, as if it is missing the value of "document-id" is assumed to be equal to the UUID of the root. This requirement allows for document creators to retroactively link an update to the original version, by providing a document-id on the new document that is equal to the uuid of the original document.

Attribute (1)
scheme

uri

[0 or 1]

Document Identification Scheme

Description Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • https://www.doi.org/: A Digital Object Identifier (DOI); use is preferred, since this allows for retrieval of a full bibliographic record.

citation

element

[0 or 1]

Citation

Description A citation consisting of end note text and optional structured bibliographic data.

Remarks

The text is used to define the endnote text, without any required bibliographic structure. If structured bibliographic data is needed, then the biblio can be used for this purpose.

A biblio can be used to capture a structured bibliographical citation in an appropriate format.

Elements (3)
text

markup-line

[1]

Citation Text

Description A line of citation text.

prop

element
(global definition)

[0 to ∞]

Property

Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5)
name

NCName

[1]

Property Name

Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
uuid

uuid

[0 or 1]

Property Universally Unique Identifier

Description A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[1]

Property Value

Description Indicates the value of the attribute, characteristic, or quality.

class

NCName

[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Element (1)
remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)
(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

biblio

element

[0 or 1]

Bibliographic Definition

Description A container for structured bibliographic information. The model of this information is undefined by OSCAL.

element

[0 to ∞]

Resource link

Description A pointer to an external resource with an optional hash for verification and change detection.

Remarks

This construct is different from link, which makes no provision for a hash or formal title.

Multiple rlink can be included for a resource. In such a case, all provided rlink items are intended to be equivalent in content, but may differ in structure. A media-type is used to identify the format of a given rlink, and can be used to differentiate a items in a collection of rlinks. The media-type also provides a hint to the OSCAL document consumer about the structure of the resource referenced by the rlink.

Attributes (2)
href

uri-reference

[1]

Hypertext Reference

Description A resolvable URI reference to a resource.

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Element (1)
hash

string

[0 to ∞]

Hash

Description A representation of a cryptographic digest generated over a resource using a specified hash algorithm.

Remarks

A hash value can be used to authenticate that a referenced resource is the same resources as was pointed to by the author of the reference.

When appearing as part of a resource/rlink, the hash applies to the resource referenced by the href.

Attribute (1)
algorithm

string

[1]

Hash algorithm

Description Method by which a hash is derived

Remarks

Any other value used MUST be a value defined in the W3C XML Security Algorithm Cross-Reference Digest Methods (W3C, April 2013) or RFC 6931 Section 2.1.5 New SHA Functions.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • SHA-224: The SHA-224 algorithm as defined by NIST FIPS 180-4.
  • SHA-256: The SHA-256 algorithm as defined by NIST FIPS 180-4.
  • SHA-384: The SHA-384 algorithm as defined by NIST FIPS 180-4.
  • SHA-512: The SHA-512 algorithm as defined by NIST FIPS 180-4.
  • SHA3-224: The SHA3-224 algorithm as defined by NIST FIPS 202.
  • SHA3-256: The SHA3-256 algorithm as defined by NIST FIPS 202.
  • SHA3-384: The SHA3-384 algorithm as defined by NIST FIPS 202.
  • SHA3-512: The SHA3-512 algorithm as defined by NIST FIPS 202.

base64

base64Binary

[0 or 1]

Base64

Description The Base64 alphabet in RFC 2045 - aligned with XSD.

Attributes (2)
filename

uri-reference

[0 or 1]

File Name

Description Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.

media-type

string

[0 or 1]

Media Type

Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

remarks

markup-multiline

[0 or 1]

Remarks

Description Additional commentary on the containing object.

Element (0+)

(unwrapped)

markup-multiline

[0 to ∞]

This use of the markup-multiline type permits unwrapped block-level markup.

This page was last updated on June 8, 2021.